Harvard Kennedy School shall increasingly be the target of politically motivated digital attacks — time for the school to take it more seriously

Why a LastPass mandate is appropriate

The increasingly hostile and polarized environment we live in today has left no corner of our life unscathed. The Kennedy School itself was subject to a mass email spewing racist bigoted content. With many former Obama administration officials working at school, some very loud critics of President Trump among the faculty and the Kennedy School’s image as a liberal bastion (similarly to most ivy league schools), the school is increasingly at risk of becoming the victim of phishing attacks. This requires increasing security and targeting what is often the weak point of a system — human error — by mandating LastPass.

LastPass is a password manager that stores encrypted passwords online. It basically works as follows: 1) User creates their own master password (that they hopefully do not use for anything else), 2) LastPass randomly generates passwords for every new user account and stores it online, 3) These randomly generated passwords are only accessible through the master password. To make things easier for the user, LastPass comes with a web plug-in for most browsers. Currently HKS offers LastPass for free to students and employees but only recommends installing it. We propose that HKS gradually mandates its usage and to start as follows:

1) First, LastPass should be mandated for system critical and at-risk individuals at school. This should include not just IT-personnel but also researchers working on critical databases or who publish research that might illicit attacks form some of the more radical elements of the internet. This first step should be seen as a pilot, so the list of individuals mandated to use LastPass does not have to be comprehensive

2) Following the first step, the school should collect data on how the pilot went. How did the users feel about being mandated to use LastPass? How high is compliance? Based on the experience of the pilot, we move to step 3.

3) School should require all faculty and staff to use LastPass for work related accounts.

4) Students should be encouraged to use a password manager

Ostensibly missing here are students. The reason they were kept out is mostly due to practical reasons. Most students have a temporary relationship with school and might a) be using other password managers, b) school will not subsidize their premium version after they graduate and many might feel stuck with LastPass and c) in most cases, students have limited access to critical data or systems. While they might be victims of phishing attacks that compromise their Harvard Key, the amount of damage is less than for staff and faculty. d) It is unclear how school can enforce such a requirement.

One could also argue that mandating LastPass for staff and faculty is limiting their choices and they might also be using other password managers. While true, it is easier for school to ensure compliance and adoption if it works with one vendor. School can receive user account lists and conduct trainings for users who require them.

With the plethora of accounts everyone has today, every one of us should be using a password manager. At an institution in the public eye like HKS, everyone must.