Why HKS should adopt LastPass?

Cyber-security has become one of our times’ most massive challenges, and universities are not excluded from this threat. The Harvard Kennedy School is an attractive target to hackers for at least three motivations:

1. Hackers might be interested in getting personal information from the students to either make it public, sell it, or facilitate access to other data (such as bank accounts from students).
2. Hackers might be interested in getting the credentials from the Dean or other high-level members of the community to mobilize a political idea or world view, or just because of revenge.
3. Some hackers might be obsessed with showing vulnerabilities of a well-recognized brand such as Harvard and somehow show that even the best universities are vulnerable.

The tools available to defend ourselves against these cyber-attacks are related to our passwords’ strength and other mechanisms to require authentication of users. It is not surprising to observe that most of the websites now need several combinations of weird characters in the passwords and verifying users’ authentication through email or phone to decrease the vulnerability against hacker attacks. However, creating multiple complicated passwords might represent a challenge, considering that an average person has 70 to 80 passwords.

LastPass represents an excellent option to accomplish this mission. It is a password manager that stores encrypted passwords online, and the user only has to introduce one master password. This system should be mandatory in HKS for two reasons: to avoid using the same password among the different HKS services and to close possibilities for phishing.

Multiple services, multiple logins, but the same password? The HKS environment requires at least five different types of logins for students: email-KNET-Canvas, my.harvard, Harvard University Health Services, and Harvard Housing (to some extent, we should also include the log into HUECU bank for international students). Besides, students must create all these passwords by the time they are using their memory to remember new faces, names, and the way to get to the bathroom! Therefore, it would not be surprising that students use the same password to access all these websites. Besides, this password is likely inherited from other sites, like Gmail or Facebook, thus posing a vulnerability risk to the HKS environment. LastPass would enable students to create different and complex passwords for each site by storing them in a vault and would impose less pressure on the memory of the community.

Constant log in may open space for phishing. Let’s imagine that some hackers are really interested in stealing information from the students or faculty in HKS. They somehow replicate one of our websites’ appearance and require our personal credentials after clicking on a random result from Google that supposedly would guide us to read a paper or an article. Since we are continually introducing our username and passwords, we would not suspect about this website. LastPass would allow us to be suspicious about this scam website since our credentials would not be displayed.

The potential advantages to make LastPass mandatory for all the members of the HKS community are reliant on two hypotheses. First, it would be necessary to validate that users do not log into the HKS services through multiple devices not owned by them (such as public computers). If they do so, they would be less willing to create complicated and different passwords among the other websites. Second, the IT team should encourage that the password of LastPass must be complicated to be secure. Centralizing all the passwords in one place might increase the risk of being vulnerable for a particular user.

LastPass represents a viable path to increase both security and user experience among the HKS community. The authorities should take this risk to avoid others.