Managing digital security on campus
Considerations in mandating the use of password managers
This blog post is a submission to an assignment for the course DPI-662 Digital Government: Technology, Policy, and Public Service Innovation at Harvard Kennedy School. The fictional scenario and prompt are as follows:
You are Chief of Staff to the Dean of Harvard Kennedy School and a faculty member is proposing that LastPass be made mandatory for all faculty, students, and staff. You have a meeting with the Dean and the Head of IT — what would you recommend and why? Write your response in the form of a blog post of approximately 500 words.
Although mandating use of LastPass for all faculty, students, and staff seems like a viable proposition for ensuring digital security on campus, this proposal has inherent challenges. Unless the rationale for deploying LastPass is explicitly defined, it is difficult to advocate for mandating its use by all campus affiliates as certain goals may best be served by alternative solutions. Furthermore, password managers including LastPass suffer from vulnerabilities that must also be taken into account. The sections below briefly outline these challenges.
Goals must be identified before exploring solutions
It is important to specify the goal for having faculty, students, and staff use LastPass. Other solutions may be more appropriate depending on the intended goals. Some examples include the following:
- Security: If the idea is to prevent hackers from tapping into sensitive data on campus networks through login credentials of campus affiliates then perhaps enhancing network security is a more relevant approach.
- Convenience: LastPass may provide campus affiliates with a convenient way to generate and store passwords for apps and services ranging from social media to course management. Using a password manager for this reason is best left to user discretion unless it is directly related to digital security of campus resources.
- Collaboration: Teams and working groups on campus may benefit from sharing logins and passwords for shared services that they frequently use. LastPass may be an attractive proposition for such teams in this case.
Password managers have vulnerabilities of their own
Malicious actors may target vulnerabilities inherent in the design and use of password managers including LastPass. These include:
- Master password: Just as a chain is as strong as its weakest link, password managers are as strong as their master passwords. Tests earlier this year revealed that popular password managers including LastPass stored master passwords in PC RAM in plain text format and that these were accessible even if the password manager was locked.
- Browser extension: While convenient for users, the ability to access LastPass from within the browser presents yet another vulnerability as user credentials may be stolen by random malicious websites. This may be avoided by using desktop-based password managers instead.
- Auto-fill: This convenient and commonly used feature within password managers is not secure. Third-party advertising scripts on websites are known to capture login credentials auto-filled by password managers. However, this can be avoided by disabling the auto-fill feature in LastPass.
Recommendation
Given ambiguities in the goal of mandating the use of LastPass on campus, possibility of more relevant alternative solutions, and vulnerabilities of password managers themselves, we do not recommend proceeding with this proposal at this stage. A revised assessment can be made once the challenges mentioned above are addressed.
Parting thoughts
Password managers are still considered to provide better security than users who set reused passwords. Despite these digital solutions to managing passwords, it is interesting to see EFF suggest considering more low-tech solutions such as creating strong passwords using dice or writing them down if one is concerned about digital attacks. Manual methods are not obsolete after all!