Should LastPass be mandatory at the Harvard Kennedy School?
This post is part of Harvard Kennedy School’s Digital Government Course Assignment.
LastPass, a password manager, generates and stores all passwords in a secure vault that can only be accessed by using a single strong master password, allowing users to retrieve their passwords anytime and anywhere. The LastPass vault can also auto-generate long complex passwords that are difficult for bad actors to breach. More importantly, the robust encryption algorithms and local-only encryption ensure that no one can access users’ data.
Cybersecurity Challenges:
As technology continues to evolve, cybersecurity threats are growing more sophisticated. Cyberattacks on higher education institutions are on the rise. On the one hand, higher education is an appealing target for hackers since universities and colleges contain a treasure trove of valuable information. On the other hand, weak IT infrastructure in the educational sector expands the attack surface. A single compromised device synced to a campus network may cause a potential data leak of the entire IT system. HKS has roughly 1,100 full-time students as well as more than 250 faculty members. Intellectual property and cutting-edge research have attracted cyberattacks. In 2015, Harvard University was hit by a data breach that affected at least eight of its schools and administrative organizations. In May 2020, a data breach at Blackbaud, a global provider of financial and fundraising software, may have put Harvard community members’ data at risk.
With the growth in the number as well as the complexity of cyberattacks, some people argue that HKS should require all students, faculty, and staff to use LastPass in order to keep their personal information assets secure, while others contend that it is too risky to use a single master password in which cybercriminals can target a single account to gain access to users’ online information. Considering the risks and costs associated with installing this system, I do not recommend to make LastPass mandatory for the HKS community.
The Pros of Using LastPass:
Before moving on to the discussions of the risks, it is essential to assess the pros of using such a platform. Needless to say, LastPass provides convenience for users, enabling passwords syncing across all users’ devices. The master password will not be sent to LastPass. Encryption and decryption occur locally on users’ devices and not on any servers, which means that valuable information will not travel over the Internet. Additionally, in terms of security and privacy, LastPass adopted a government-level encryption method; it uses the same encryption algorithm that the U.S. Government uses for top-secret data. The Security Dashboard feature displays security scores and dark web monitoring alerts. Furthermore, Harvard provides all members of the Harvard community with a free premium subscription to LastPass.
The Cons of Using LastPass:
Despite its enormous benefits, the risks are too immense for HKS to make LastPass mandatory. A service that aggregates all of the users’ passwords into a single dashboard would make it an easier target for hackers. Cybercriminals can focus their efforts on such a single account directly since they realize that hacking a password manager seems lucrative. Once they break into the LastPass network, they will gain access to all users’ passwords. The company has experienced several security incidents and suffered other issues since 2011, which makes people aware of system vulnerabilities. Users are requested to change their master passwords after hackers attack the company. If one thing breaks, it all goes down.
Moreover, another situation that could also be disastrous is when a user accidentally deletes the long passwords generated by the LastPass vault. Given that there is no option to transfer passwords stored in the LastPass vault to other password management services and no trash folder in the LastPass system, users will be unable to have their deleted passwords recovered.
Conclusion:
In regards to the question, I believe that LastPass should not be mandatory at HKS because the risks and costs outweigh the benefits of using this service. It is important for HKS to reassess its own IT infrastructure and take a more proactive approach to ensure its cybersecurity.
