Ideas and more ideas

In the 1987 sci-fi comic Spaceball, character Dark Helmet, after being told the lock combination to the air shield remarked, “So the combination is, one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!” Most web applications today would discourage users to have such a short password. Nonetheless, according to Security Magazine, the worst password in 2017, for the second year in a row, remained “123456”. Another interesting example is the inadvertent leak of his iCloud password by Kanye West when he unlocked his phone live on video, revealing his passcode online. This goes to show that there are many system users who are very sloppy when it comes to protecting data and restricting access to information, for various reasons. As such, they continue to use weak, easy-to-crack passwords to protect information online.

In general, a system is as strong as its weakest link. This is as true for general ICT users as it is for organisations. This means that a lot of online data is still very vulnerable to hacking and a lot of online systems are vulnerable to intrusion. It is therefore entirely possible for institutions, such as HKS and its stakeholder users to spend a lot of money on security systems and still not be truly secure, because of security vulnerabilities, especially at the human level. Moreso because, by its very nature, as host to strategic experts, former cabinet officials, top global security and international relations resource persons, and generally as a repository of groundbreaking knowhow, some of it proprietary or of a strategic nature, the school is a potential target for cyber attacks.

Because most users use multiple passwords to access different online resources, many end up using the same passwords across multiple platforms, in come cases simplifying them to easily remember them. To deal with this challenge, password managers can be used to store multiple passwords. Password managers keep login details for online applications or websites and help log into them automatically such that one does not need to remember all their passwords.  This is achieved by encrypting the multiple passwords with a master password so that all you need to remember is that master password. This is very convenient. Given this convenience, the question that arises is, should HKS make this mandatory for its system stakeholders?

Password management solutions have their own vulnerabilities,  depending on their engineering. As Schneier argues, despite possible flaws of password managers, they are still a convenient way of managing complex passwords, creating a trade-off with the reality that users sometimes use weak and vulnerable passwords.

Back to the question, should LastPass be mandatory or not? This question depends on the totality of defenses against cyberthreats such as hacking. In the case of HKS, there are multiple levels of (multi-layer)  security – the first being Harvard key, which is Harvard University’s unified user credential, that uniquely identifies users and provides them access to applications and services. The second layer is the mandatory two-factor authentication solution that requires the user to validate their access through verification via a second device. LastPass would therefore be another additional layer, more useful, especially for access to non-HKS online resources. On this basis, I argue that LastPass should be encouraged, but not mandated.

Yet there are additional reasons to not make Lastpass mandatory.

Mandating LastPass would amount to mandating a specific vendor solution, including the flaws that come with it.  LastPass, like other password managers, comes with its own vulnerabilities, which, even though they get patched from time to time, have been exploited by hackers. For example, in 2016, a hacker blogged about how he harvested LastPass passwords. The fact that they save users the headaches by helping them auto-log into accounts doesn’t mean they are no longer immune to security breaches.

Hacking of passwords is an adversarial act, which may be motivated by a variety of reasons such as curiosity, obsession, boredom, thrill-seeking, warfare, malice, revenge-seeking, pursuit of money, and self-promotion among various other motivations. Making one passoword management solution mandatory makes all users vulnerable to LastPass’s own technological weaknesses once an adversary identifies them.

In addition, besides truncating the boundaries between public and private spaces as all passwords for all sorts of applications are stored in the same solution, LastPass, like some of the password managers in its category also allows syncing across multiple devices, which amplifies the risk factor of attack via password syncing, as highlighted by Silver and others. Such synchronization opens up the risk of password extraction from multiple devices.

Cyber-security threats at HKS are potentially high. There are multiple security layers for protecting and restricting access to Harvard-specific resources. Users at HKS can use LastPass for managing passwords, for personal online access and HKS related access. However, the foregoing arguments show that though desirable, it is not necessary to mandate the use of LastPass as a password management solution at Harvard.