Locking Harvard’s Gates with LastPass

Image link

Isn’t Harvard secure enough?

No.

Why would adversaries bother to hack us nerds?

What might seem like a simple dataset for an economics project, or a niche departmental Twitter account with a couple hundred followers, could be weaponized for foul purposes. Some of the most likely adversarial motivations to access HKS affiliates’ data include:

  • Self-promotion/politics/world view: HKS attracts a large global audience with its dozens of affiliated websites and social media accounts. Adversaries could co-opt one of these platforms to spread false information, political ads, or self-promoting messages, and public audiences would probably interpret them as credible. This has already happened: in 2015, a pro-Palestinian Anonymous group took over the Institute of Politics’ website and posted political messages.
  • Money: Harvard’s endowment is the largest in the world, and is spread amongst a vast array of bank accounts (academic departments, student clubs, etc.) Accessing just one of these accounts could mean access to a massive credit line.
  • Access: HKS hosts countless research projects, many of which handle sensitive information with personal data. Obtaining any piece of sensitive information could enable wrongful activities, such as fraud at banks, pharmacies, or even voting booths.

How would LastPass stop motivated adversaries?

LastPass (and other password managers) can store user passwords and other sensitive information into a secure, encrypted “Vault.” Users need only remember one master password to access all of their online accounts. This system facilitates the use of stronger passwords, ensures every log-in credential is different, and reduces the need to store passwords in less safe locations (like a diary). The software blocks typical hacking channels with its robust security measures, including:

  • Multi-factor authentication, to multiply the amount of information and devices needed to log in
  • Master password hashing, to slow down brute-force password guessing
  • End-to-end encryption, to limit information exposure as it travels
  • Zero-knowledge policy, to prevent collaborating insiders from accessing user data

Is that all LastPass can do?

No.

What if LastPass is hacked?

Password management systems raise an intuitive question: what if the system itself gets hacked? Centralizing data incurs the tradeoff between control over security, and higher stakes in the event of a breach. Fortunately, the aforementioned security measures make a direct security breach highly unlikely.

Isn’t LastPass expensive?

Arguably the largest barrier to this initiative is the cost. Setting up an enforcement system will require significant resources: for example, HKS would need to procure software that would block CrimsonKey or Knet login if users do not comply. Furthermore, LastPass prices its enterprise services on a per-user basis. This raises the opportunity cost of making the program mandatory for all users (rather than selected segments). While the financial considerations are significant, the potential costs of a large data breach could be far greater. Seeing as HKS’s system is only as strong as its weakest link, making the investment to secure the passwords of its full user base is well worth it. To this end, HKS should encourage all schools within Harvard to adopt a similar policy. Because Harvard’s systems are so inter-linked, vulnerabilities at other schools are vulnerabilities of HKS as well.

Concluding Thoughts

HKS should take advantage of its platform and resources to offer affiliates a practical lesson in cybersecurity. This would entail making LastPass mandatory, auditing vendors’ cybersecurity measures, encouraging other schools to adopt password managers, and building out accompanying cybersecurity training programs. Harvard’s mission is to “educate the citizens and citizen-leaders for our society.” In this age of increasing digitization, the inclusion of data privacy in a modern education is non-negotiable.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store