LastPass should be required for HKS students not because they can’t maintain their own quality passwords, but because they choose not to.
Up until three-character passwords became a thing of the past for most digital service providers, “God” was one of the most common— and, ironically, among the most frequently compromised. Security requirements may now be better, but our decision-making involved in choosing the right kind of passwords isn’t — regardless of whether we go to Harvard Kennedy School or not.
LastPass is not the best solution for securing your data, or your passwords, but it is still better than your solution. That is, unless every one of your passwords would require more than approximately 57896044618658097711785492504343953926634992332820282019728792003956564819968 guesses to crack.
On collaborative digital platforms such as those used by universities, poor decisions — like using weak passwords — directly and negatively impact the entire group, concluded Specops Software Security experts.
Each individual data breach in the US during 2020 has cost industry stakeholders an average $8.64M, according to IBM’s most recent data breach report. The percentage of successful breaches climbs every year, despite highly sophisticated security infrastructure and encryption levels unparalleled in history. Why? Complacency. Turns out, 80% of hacking-related breaches are taking advantage of compromised passwords.
Been hacked? There’s a good chance it’s equally your fault — and another reason LastPass should be required
Be honest with yourself, is one of your passwords 123456? If so, you don’t have to too feel bad — you’re just another part of the 3% of the global population that thinks that’s okay . According to SplashData, 10% of people use at least one of the 25 most common, worst passwords on a regular basis. That’s a 1-in-10 chance you’re making decisions that compromise your data and welfare.
A few numbers for the idiot savants amongst us who got into Harvard yet still don’t get why it’s not okay to use “qwerty”, “abc123” or “dragon” (#23 most commonly used, apparently…) as passwords
Some quick napkin math here using stats from Google, NordPass and IBM. On average, per person in the US —
-Number of passwords held at a given time: 75
-Number of passwords held that are identical: 65%
-Average cost of a single breached account : $242
…which makes the total potential cost of a breach 75 x 0.65 x 242 = $11,797.50
Bottom line: compromised passwords are costly. They are even more costly when it effects a community of users like, say, those on KNET, Canvas, or my.Harvard. If you do struggle with memory and a lack of originality, there’s a solution for you.
A fix that’s statistically complex yet far less exhausting than Math 55
If you are indeed producing 75 unique passwords, each of which are on par with a randomized sequence of 256 binary digits — or 2²⁵⁶ — and storing them all in your head, then LastPass may be less useful to you personally. However, since the probability that none of the 1-in-10 people who use easily crackable passwords are at HKS is not super high, and the unlikely case that 100% of those who are at HKS are also brainstorming 256-bit passwords, you’re still benefiting from HKS implementing a LastPass policy to protect you against the mistakes of others.
Caveat — since being held responsible for our decisions is unreasonable…
It’s worth noting that no password is impenetrable. Even LastPass was breached once back in 2015 prior receiving a critical patch. If you’re still skeptical, consider advocating for something like McAfee’s multi-factor authentication to further reduce risk. Either way, LastPass’s AES-256-b encryption with PBKDF2 SHA-256 and salted hashes utilizing a single, unique encryption locally generated by a strong master password is still a better option than yours.
In short, you have the right to put your own data and security at risk, but you don’t have the right to put that of others at risk. Welcome to LastPass HKS.
