Should HKS mandate LastPass?

In my first job after college, I was assigned to a project that helped manage the supply chain for a federal agency. One of the first rites of passage for all contractors and full-time employees alike is security orientation. Run by a very engaging and intimidating counterintelligence officer, it contained explicit instructions reinforced with the parables of his favorite “busts” of people who had broken security protocol in the office. The vast majority of these busts involved committing his cardinal sin: writing down your passwords (and inherently, I suppose, him finding out about it on one of his walkthroughs). There was one password in particular that really animated his presentation — an 8-digit personal pin that was needed in combination with an agency badge to pretty much do anything.

Most people broke this rule in predictable ways — usually involving a yellow post-it note with the obvious tell of “password” or the shorthand “PW” written on it — but his favorite story involved someone who thought he was much more clever. His desk was completely inconspicuous, other than four oversize NFL player stickers on the wall above his monitor, each with a jersey number with two digits. One day, it finally dawned on the counterintelligence officer that these weren’t just his four favorite NFL players, but instead had greater significance — their numbers, in that exact order, composed his 8-digit pin.

“Nice try,” he wrote on the security violation notice he taped over one of the players.

As the Harvard Kennedy School assesses whether to institute a policy requiring members of its community to use a password manager like LastPass, I’m reminded of this story for how security policies need to be tailored to the requirements of the specific context. I’ll argue that the optimal approach for HKS is not to issue a blanket mandate, but to go through a process that identifies (1) resources it wants to protect, (2) users who might pose a bigger problem for these resources if compromised, and (3) the costs and benefits of mandating LastPass.

When it comes to setting rules for access to sensitive information and systems, what is right for this federal agency is not necessarily right for everyone else. There, the main threat was an insider who would be able to access information or perform functions they were not entitled to by stealing a colleague’s credentials. For most of us in the HKS community, it’s possible that our friend with the NFL stickers actually has the right idea by storing his passwords in the analog world. Ideally, these passwords are unique and hard to guess, either by intuition or by the machine-enabled “brute force” approach of trying multiple likely combinations.

The problem is that we are not perfect, nor do we have limitless time and attention. According to a poll conducted by LogMeIn, 59% of people use the same password everywhere. The danger is that if someone’s password for any one site is compromised, their accounts at all sites with the same password and login credentials could then be compromised.

LastPass (owned by LogMeIn) is a password management site that generates tough-to-guess, random passwords, seeming to correct the common user-security issues that result from a non-trivial number of people making their password some variant of “Password1*”. For the price of $36 per year, users create the “last password they ever need to remember” and receive other benefits such as multi-factor authentication, dark web monitoring alerts, and desktop fingerprint identification. Currently, HKS offers this premium version to all community members while they are at the school. Should it go further?

First, let’s consider what HKS wants to protect. According to the University of Washington security assessment kit, this may include impact measures as varied as human wellbeing, personal data, physical wellbeing, relationships, and societal wellbeing. A few examples of the resources that HKS might want to safeguard include:

1. Confidential (and politically-sensitive) research or internal communications between government leaders and school officials
2. Sensitive information about students, faculty, and staff, such as past professional experience working for sensitive employers or physical address
3. Financial details (e.g., bank accounts) that could be used to siphon money from the university or its partners

Second, we should assess how the risk of a given compromised user account threatens these resources. My hypothesis is that the account of a “vanilla case” of a student enrolled in a degree program or a staff member working in the Facilities department might not pose a significant concern. Why? They likely could not access this sensitive information anyways, but I would defer to technical experts at the school in making this assessment. Administration officials, senior fellows at HKS-affiliated research centers, and students from authoritarian countries (or from vulnerable rivals of authoritarian countries) could be a different story.

Finally, we should consider the benefits instituting LastPass would provide for each of these use cases in comparison to the associated costs. If we accept that at least some of the 59% of people who consistently reuse passwords online are students or employees of HKS, there is heightened risk to the school’s resources by not using a password manager like LastPass, which would represent an obvious step-up from the fallible human-managed alternative. Nevertheless, anyone can say we should have more security, but we don’t live in worlds of unlimited resources and perfect compliance. The cost is obviously not just the $36 annual per user fee (or a bulk-discounted rate somewhere in that ballpark), but also the invisible cost of introducing another mandate on the HKS community.

By selecting a pragmatic approach that prioritizes the resources HKS wants to protect, the user accounts that make these resources vulnerable, and drawing a line where benefit exceeds cost, we might have the best chance of striking this balance between security and autonomy.