Should Password Managers be Mandatory?

Note: This post is part of a series of posts for the course DPI-662: “Digital Government: Technology, Policy, and Public Service Innovation” at the Harvard Kennedy School of Government.

80% of hacking-related breaches involve compromised or weak passwords and login credentials. The truth is that as we open more and more personal accounts for every aspect of our lives in our digital economy and social media driven world, our password management practices have remain largely unchanged. “Password” and “123456789” still remain as some of the most popular passwords around. In response to the bad habit of using weak passwords or re-using a password over and over again, password managers like LastPass came to be. LastPass promises “effortless security from anywhere.” In this post, I examine whether this promise is good enough for the Harvard Kennedy School to consider making LastPass mandatory for its students, faculty, and staff.

We will start by exploring the benefits of a service like LastPass when it comes to key features, security, and usability. Among the key features of LastPass we find that it:

· Allows you to store all passwords in one secure location

· Generates complex passwords unique to each of your accounts

· Is accessible from and syncs with various devices

· Enables autofill capabilities when login to saved accounts

As evident from the key features of LastPass, we can conclude that the major benefit of utilizing LastPass is that it allows its user to use and manage more complex passwords and improve password security by removing the need to use simple or repeated passwords across accounts and platforms. Given its flexibility and transferability from one device to another, LastPass makes it easier to increase an individual’s security.

While LastPass makes password management convenient for its users, it is not necessarily immune to leaks or attacks as Google reported in 2019. While it is a step-up from status quo password management, password managers can become a single point of failure when it comes to security. If a LastPass Master Password is leaked, an individual’s entire password inventory can be accessed by a bad actor. While LastPass is heavily encrypted, by being a single point of failure it can become a target for hackers and bad actors. This begs the question, is making LastPass mandatory the right move for an organization or institution like HKS?

To best answer this question, it is important to consider the security threats that would target HKS and what the motivations for such attack would be and then determine whether LastPass would be a good way to prevent or deter any possible attacks. HKS systems are as weak as the weakest password among its staff, faculty and students. Therefore, it is possible for HKS systems to be hacked, abused, or held hostage by bad actors should they infiltrate it. With high-profile faculty, research, and occasionally high-profile students, there are valid reasons why HKS would be target of cyber-attacks. Getting access to high-profile data, high-profile email accounts, or even personal information from faculty, staff, and students are all possible motivators to infiltrate HKS systems. With research and data and experts ranging from diplomacy, to warfare, to politics, adversary motivations for HKS can include diplomacy and warfare, malice to target certain individuals, system abuse to affect politics, or even system abuse to protect organizations, people, or countries that could be exposed through institutional research.

LastPass can, indeed, improve security at the individual level when it comes to password management and should therefore be highly encouraged among HKS faculty, students, and staff. Given that so many hacking-related breaches do involve weak and compromised passwords, there is true value on making a LastPass a mandatory tool for all and in that way prevent possible attacks made possible through compromised passwords. Nonetheless, if made mandatory, LastPass will indeed become a single point of failure for the HKS ecosystem with more of adversaries’ resources re-directed to exploiting possible LastPass leakages or vulnerabilities within the community.

As such, I believe HKS should not make LastPass mandatory and should instead focus on securing its systems and networks through other tools and cybersecurity methods. In particular, I believe multi-factor authentication, which HKS already uses with DUO, can be a much more effective tool to reduce the risks of cyber-threats facing the institution by ensuring that even if credentials are compromised there is a second step required to verify that the right person is trying to access the system. While HKS should worry about the overall cyber-security of its students, staff, and faculty, I do not think making LastPass mandatory would particularly enhanced overall cybersecurity for the institution itself. HKS should, therefore, focus its energy in more robust security methods that better protect the institution while continuing to educate its stakeholders on the importance of password management overall without mandating the use of LastPass.