My Harvard Account Password is….Password
Universities have a responsibility to protect their data and the data of their community members, however this responsibility is not unique. Businesses and organizations of all shapes and sizes share this same responsibility, however very few of them would ever consider imposing mandates on personal security outside of the scope of their services. Security requirements for their own system or service access, sure, but forced behavior beyond that — no way.
The question of mandatory password management, like utilization of LastPass, at universities and HKS is a classic debate between security and freedom. Requiring students, faculty, and staff who access university services to use a security service outside of the scope of university related use cases would be an overreach of administrative authority. While it may help reduce the likelihood of account breaches or password theft that may impact other community members through spillover effects, this potential harm reduction does not justify forced behavior by the administration unrelated to the university.
HKS has every right to impose restrictions on system passwords and authentication services to access its internal systems. However it does not have the right to mandate community action outside of that. If HKS decides that LastPass passwords will be required to access student or faculty accounts, then so be it. The precedent has already been set by requiring two-factor authentication through mobile, email, or the use of Duo, a third-party verification service. But if HKS decides that LastPass must be used for password management more generally for all digital uses by community members, then that would constitute an overreach of authority.
Should HKS decide that LastPass be mandated for system usage, the administration should ensure that these services are made available at no cost to students, staff, or faculty. Requiring supplementary security services at self-cost to the community is unacceptable. If HKS chooses a designated vendor like LastPass to handle system access, then the service should be carefully vetted for broad accessibility and be made available free of charge.
Ultimately the usage of outside vendors by universities, especially as it relates to security, is nothing to be taken lightly. When relying on outside services for security, you relinquish internal control and responsiveness, opening yourself up to the vulnerabilities of the third party service itself. In this way HKS would become vulnerable to hacks or vulnerabilities of LastPass, something it has no control over. Outsourcing security services can be a great way to achieve cost savings and reduce digital administrative burden, however it can also be a risky endeavor that leaves you reliant on third parties. In my opinion, the benefits of using established and commercially stable services like LastPass or Duo outweigh the potential risks that may be associated with their usage.
HKS understands the importance of sensitive user data and has strong incentives to keep their resources, materials, and community members secure. Using a service like LastPass is a way to further enhance their defenses and mitigate risk against common password attacks and vulnerabilities. Ensuring that the requirement only applies to HKS system passwords and does not extend to forced usage of LastPass for all password management is key in ensuring that proper student freedoms are respected and there is diminished pushback during implementation. If HKS decides to bolster security through additional password protections, the entire community will be better and more secure for it — as long as it is implemented responsibly.