Maga2020!
All views expressed in the blog post are solely for the purposes of an assignment at the Harvard Kennedy School and should only be interpreted in this context
Last week you may have heard that Trump’s twitter account was allegedly hacked; the security expert in question explained that he did this using brute force i.e. trying lots of different passwords, on the fifth go- it worked; make america great again, the year we are in and the go to punctuation mark for a password (well that or @). This was to good to be true (and in truth it might just be since it is alleged). Why on earth would he use that? By the time I got to the bottom of the article I realised that actually a lot of us probably do this; we’re far from Homo-economicus — when almost every website needs you to create an account and you’re in a rush to get on with what you want to do- of course you’re going to use a password that’s familiar, words that you can remember or even worse words that you’ve used before (still doesn’t explain why the President’s main communication channel was so easy to hack …but lets leave that to the side for now).
The stats confirm the above, as you can see below the top 20 most used passwords from 2019 (obtained from data breaches) are not exactly stretching the bounds of human ingenuity, when the average person has somewhere between 70–80 passwords- can you blame them? (well- yes definitely for some of the ones below, full list can be found here). It turns out that poor password management is one of the biggest causes of data breaches in organisations; 81% of hacking related breaches leveraged weak/guessable passwords. (You can check whether your password has been breached here, warning: it’s quite nerve-wracking).
…is Harvard at risk from poor password induced attacks?
The short answer is yes, and very much so a longer answer covered by the Crimson, can be found here -there’s a great timeline infographic which shows the cyber attacks that Harvard’s publicly admitted to, the quotes from HUIT indicate that actually, there are many more happening behind the scenes. I guess this makes sense- Harvard is one of the world’s best universities, there’s so much info flowing through it/ so much potential/ future IP.
In a bid to increase its security, Harvard introduced the Harvard Key, a single sign on; instead of having multiple different passwords you can use the same one across many systems. However the University was still vulnerable so 2-factor-authentication (2FA) was introduced as a requirement to the Harvard Key.¹ Not only did you need ‘something you know’ i.e. a password, you needed something you have i.e. a phone/ authenticator app. This brought the University closer to the gold standard of 3-factor authentication². Conversations with the University’s CISO reveal that the requirement of 2FA has had a significant impact on the number of incidents³.
It’s in this context that we now have to answer the following question:
“Should Harvard mandate the use of LastPass a password manager for all of its students”
What is a Password Manager?
A PM can work like a browser plug-in. It stores all your passwords (and their respective usernames) in a central secure location called “a vault”. It helps you create random complex passwords. But you never have to remember anything except one unique master password that you choose. The PM then uses that as an encryption key to encrypt all your passwords.You use your master password to access your vault- you can do this each time to get the password you’re looking for or you can ask the PM to automatically fill it in on the web form in question.
The Case For LastPass
- A PM generates complex passwords for you — preventing password re-use and increasing your security (it uses AES-256 bit encryption— which is much stronger than recommended). They protect against brute force attacks- by shutting down after too many failed login attempts.
- They reduce memory burden (you never have to remember anything except your master password) and user effort; when they detect “fake websites” they won’t enter your password.
- You can add 2FA to sites that don’t have this capability. Depending on your device you can also use Touch/Face ID.
- No-one (not even LastPass) except you can see your passwords in plaintext, because they’re encrypted using something only you know i.e. your master key. Meaning, even if LastPass is breached your data is gibberish; all encryption/decryption occurs locally on devices not on LastPass servers.
- You can use PM’s across all your devices.
- All software has bugs, LastPass is known for responding quickly to bugs that are found and other vulnerabilities.
By mandating LastPass, we’d essentially be asking all users to store their Harvard Key in the PM. You can then use the PM to generate complex passwords for Harvard sites that don’t use the Harvard Key and you can enable 2FA if they don’t support this capability- thereby increasing your security.
The Case Against
A lot of the following is based on Stuart Schechter’s incredibly informative blog post “Before You Use a Password Manager”.
- You put all your eggs in one basket- with one mistake you could lose them all e.g. by creating a simple/guessable master password⁴.
- They only work if you actually replace your old passwords with complex ones generated by the PM.
- Automatic form-filling has been found to make users vulnerable to attacks (you may want to opt-out).
- An attack on the device where you store your managed passwords can expose your passwords e.g. if your personal laptop is infected with malware and your password manager is on it, the malware can read every password you keep there.
- You need to think carefully about what devices use the PM: a) Who else will have access them? b) Will you use it on devices that you only use occasionally? i.e. you’ll need to ensure you update the software/ security regularly-so they’re not susceptible to malware.
- The UK’s National Cyber Security Centre suggests that you should only not hesitate with low value passwords — ones that won’t cause permanent damage if they’re exposed- for everything else you need to think carefully before storing it in a PM.
Schechter argues that there’s a lot to consider when you’re thinking about adopting a PM. You need to memorise a strong unique master password (that could take weeks), you need to think about your recovery plan, figure out your own password management strategy i.e. will you store all/ only low value ones? What devices will you use it on? There are so many decisions you have to make⁵ that what’s right for one person won’t be for another. It’s broadly for this reason I think mandating LastPass might not be a good idea, it could make students complacent/ unlikely to absorb the info they need to e.g. lead them to mindlessly storing everything (even their high values ones) on the PM. In addition, when I spoke to our CISO whilst he encourages everyone to use a PM (to improve your general security) he cautions against ‘mandating’ as there are still usability concerns with PM’s leading to less technically minded users finding them very challenging³.
The second main reason is that Harvard Key (used for most sites) already has 2FA, whilst mandating LastPass could improve your “general security”, arguably it doesn’t make too much of a difference directly to Harvard’s security. There’s also research which suggests that if you keep asking students to do more and more, you cause them to turn off; if the security burden is too high, user effort to follow the rules decreases, thereby making the organisation more vulnerable. Fig 1. below is from this paper- right now we could be at the operating point- any more requirements could push a user to being much more careless e.g. a user could assume the PM has been mandated so Harvard must know what it’s doing, they then don’t have to think twice. Also since Harvard Key already has 2FA- a PM may mean you need to use 2FA twice — once to get the password from the PM and another time once you enter the password to get into the system in question- this would really elongate the process.
Our Options
Borrowing a bit of nudge theory I think the options we have are the following:
Recommendation: Option 4 — a “weak nudge”
Given there are so many things a user needs to consider/decide before using a PM and that it doesn’t directly drastically improve HU’s security (since we broadly have 2FA) I don’t think the University should mandate a PM or automatically opt users in. I think they should adopt a weak nudge approach i.e. signposting users to LastPass. For example at the point where they sign up to the Harvard Key or making it part of the IT Checklist that students receive at Orientation.
I think this is much more empowering than a strong nudge, which leaves open the risk that students don’t think before using a PM and could thereby make themselves much more vulnerable. It definitely makes sense to consider a PM but I think users should be given time to absorb all the info and decide how they’re going to use one themselves.
I didn’t really expect to get to this conclusion- let alone the idea that everyone should think about their own password management strategy, but at this particular in point time when we’re still using passwords and they’ve not been eradicated yet, the following seems like the best possible thing to do; store low-value passwords on a PM/ use it to enable 2FA on sites without capability.
_____________________________________________________________
Fig1. The Compliance Budget: the Economics of User Effort in Information Security
Footnotes
¹ The majority of systems now have this requirement but not all due to technical constraints .
² Often referred to as the gold standard for authentication, 3 factor authentication compromises of something you know (e.g. password), something you have (e.g. phone) and something you are (e.g. biometric ID)
³ From conversations with Harvard University’s CISO in October 2020.
⁴ This actually happened with one hack where LastPass was breached. This hack exposed users email addresses, encrypted master passwords and reminder words and phrases that the service asks users to create for those master passwords- so whilst they’re gibberish due to encryption if they’re simple/guessable then you’ve really made yourself vulnerable.
⁵ Questions that Stuart Schechter suggests you consider .
Which password manager will I use?
How will I recover access to my passwords if I lose my devices and/or my master password?
How will I store store my master password until I memorize it?
Which devices should I install the password manager on?
Which of those devices will need a stronger authentication mechanism to ensure someone who uses or steals that device can’t get all my passwords?
Which of those devices need stronger security measures to protect against malware that could steal all my passwords?
Which of my passwords should I not risk storing in my password manager?
Which of my accounts should I have my password manager create new, random passwords for? (Don’t forget that you can have it generate, but not store, passwords for accounts you don’t want it to manage.)
