Dave's Blog

LastPass is a fantastic way to manage passwords and keep yourself secure online. It was one of the first things I downloaded at HKS (possibly because it was much much easier than setting up connection to printers). Beyond the utility this application has brought to my life, it’s worth examining if this application is worth making mandatory to the HKS community.

My framework to unpack this is as follows:

1. Examine who may target HKS
2. What damage is HKS worried about
3. Ranking the significance of threats
4. Would LastPass make a difference?
5. Possible alternatives

Who Would Target HKS?

To follow the thought process of Adam Shostack in Threat Modeling: Design for Security, I’ll take a look at a few external threats to HKS first.

• Foreign Governments
• Other Universities
• Scorned Applicants/Prospective Applicants
• Journalists/Public Interest Organizations

Internal Threats

• Students and Faculty!
• Friends, Family and Partners of the HKS Community
• Unsecured Technology within HKS
• Vulnerable HKS Technology Staff

How/Why These Actors Would Damage HKS

• Foreign governments
  • They may try to tamper with the information of or spoof high profile professors and students like Sec. Ash Carter
  • Through access to normal student profiles, they may gain access by spoofing students
  • These actors may even have the capability to deny service, disclose information, tamper, etc.
  • This is probably the most high profile threat
• Other Universities
  • They may target admissions or the administration to learn about practices or admissions statistics
  • Now may be a valuable time for another university, possibly a top Ivy League competitors, to learn HKS admissions secrets
    • While recent lawsuits have forced Harvard College to release many of their admissions secrets, this rumored “Z” list may be good ammo for a school going after the Harvard brand
    • HKS could also be threatened by similar things
• Scorned Applicants/Prospective Students
  • HKS has low rate of admission to the school. This creates a large pool of upset and very intelligent students that may want to cause harm to HKS or its current students
  • In a similar vein, highly-motivated prospective students may want to learn inside tips and tricks to increase their chances of getting in

Internal Threats

• Students and Faculty!
  • This may be the largest threat to the University. With each student’s login information, they can reach a lot of sensitive information about the University or individual people. Whether the malicious actor is a student, faculty member, or outsider, they can take advantage of and target many different aspects of HKS.
  • Also students and faculty themselves have expertise and institutional know-how necessary to threaten HKS.
  • This is of serious concern because there are so many students and faculty – meaning there are so many possible weaknesses in the digital security of HKS. The security of HKS is only as strong as its weakest link.
  • This fraud at NC State only required learning the personal information of students and impersonating the University Police phone number. It’s that simple!
• Friends, Family and Partners of the HKS Community
  • They may access HKS’s system on behalf of their friends/family members. At the very least, they may learn the passwords/information necessary to spoof these HKS community members.
  • This group may have similar access and expertise as students, but are much harder to account for because they aren’t normally “listed” anywhere.

Introducing LastPass to the Mix

LastPass does a good job protecting individual people from spoofing and tampering by encrypting all of your passwords and creating a vault of passwords accessible with one master password. But is it important to add this as a mandatory security measure for HKS?

Pros:

• Could reduce the threat of illicit access to student and faculty profiles
• Proper use lowers the likelihood of internal and external threats
• In theory, a simple addition for a great deal of protection
• Targets one of largest concerns of HKS security: safety of student and faculty accounts and data

Cons:

• Miscalculates user motivation
• Difficult/expensive to institute and monitor
• Invasion of Privacy?
• Cost outweighs security benefit

Based on this list, I think the costs of making LastPass mandatory outweighs the possible security gains.

For one, I think this policy misidentifies the interests of the user. Most users don’t have much of an incentive to use LastPass effectively. For those within HKS seriously concerned about security, they often have a password manager or would voluntarily use the service. But if you don’t think or know about password security, people will most likely add the application and never use it. Security isn’t often a concern for users until their data is breached, but at that point, it’s too late. I know that Google already autofills my passwords for most sites, a setting very common among people. Why change a good and easy status quo option like this without new motivation? Just by making LastPass obligatory, doesn’t mean people’s outlook and behavior regarding personal security will change.

As an aside, the strength of LastPass master passwords can be an issue. I currently use LastPass, and the master password I initially created was not very different from passwords I used on other sites. Those of the HKS community that are most vulnerable, i.e. the people that repeat passwords or create simple passwords, will probably not use the application well. People are consistently told to create new, long, and difficult passwords to remember and they don’t. Why would they do it now with their LastPass master password? If users even put all of their passwords within LastPass, their password may just be a repeat of past passwords. While the LastPass vault is localized to your device, simple passwords still leave you vulnerable to people with access to your device.

Administratively, this would also be a tremendously difficult policy to effectively enforce. It would be very difficult, expensive, and invasive to check every HKS member’s personal device to check for the installation of LastPass. Beyond this step, HKS has no way to check if people are properly using the service. HKS can’t know people’s passwords and their strength – that would eliminate the point of the service. It’s also worth mentioning, does HKS have the right to invade people’s privacy by introducing a password manager? People have passwords for much more than HKS services, and forcing people to use LastPass may infringe on people’s personal rights.

Costs vs. Benefits

I believe the potential security benefits from LastPass are not worth the hassle of enforcing a compulsory usage policy. At its core, this policy would not significantly change the values and interests of target populations at HKS. Many people don’t want to think about their passwords or security and are fine with the status quo. Those that value security most likely would use the application without prompting. Additionally, the administrative costs of this policy would be immense in order to monitor so many personal devices.

For a great cost, this policy would maintain the protection of those that already valued security, and likely leave those that don’t care in similarly vulnerable position. This would do little to improve the security situation of the University for a very great cost.

Alternatives

• Internet fluency courses for students and faculty
  • Exposing them to the real-life digital dangers through cases and high quality information
  • Can change motivation, which in turn, could change behavior
  • For students, it could be a part of our “very mandatory” orientation
• Focus on Other HKS Digital Security Concerns
  • Address a different threat
  • Ex: Unmanned computers all over campus people can access