Implementing LastPass at Harvard University

TO: Dean and Head of IT, Harvard University

FROM: Aisha Iqbal, Chief of Staff to the Dean of Harvard Kennedy School

SUBJECT: Potential Mandatory Implementation of LastPass

SUMMARY: There has been a discussion between Harvard faculty about making the password managing service LastPass mandatory for all faculty, students, and staff. This internal push is calling for a better means for managing and protecting personal passwords. In fact, the service has been mandated in several universities including peer institutions such as UPenn and Princeton. While there are user benefits such as secure password collection, the numerous security breaches should also be considered. However, if implemented securely, I would highly recommend its use.


The system would store the Harvard specific domain login information and address information which users can sync with all of their devices. The data is secured with fingerprint login, mobile pin app unlock, and two-factor authentication. On top of that, LastPass has an intuitive and user-friendly interface that works well with various browsers and devices.


  • LastPass lets users manage all their passwords for multiple websites. Users only have to remember their master password. This helps them avoid repeating their password across different platforms or making it easy to guess. Users may also generate a long, randomized password on the system for an additional security against hacking.
  • Its handy automatic form-fill feature fills in any website’s form fields with the user’s details such as name, address, and more to save time. The system also remembers the login details to various websites, which they have to set up, so the users will no longer have to type their information again and again while ensuring their info is secured. They can even easily use LastPass in any web browser and smartphone.
  • The most important feature of any password manager is security. LastPass implements a strong encryption algorithm. All user data stored in the vault is kept a secret even from the software. The authorization access to the specific account is has an optional two-factor authentication which means users may opt for a second login before they can enter the vault.
    • Within the Harvard system, two-factor authentication is already used for additional user privacy. LastPass would build upon this functionality.


There have been numerous security incidents with the service highlighting key vulnerabilities:

  • In 2015, LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised; however, encrypted user vault data had not been affected.
  • In 2016, security firm Detectify detailed a method for reading plaintext passwords for domains from a LastPass user’s vault when that user visited a malicious web site.
  • In 2019, a user reported a vulnerability in the LastPass browser extension where Web sites with malicious JavaScript code could obtain a username and password inserted by the password manager on the previously visited site

The numerous security breaches are concerning for the university as our students’ work can potentially be compromised.

RECOMMENDATION: LastPass has taken precautionary measures to make sure user privacy and security is maintained. While that is not 100% certain for every user, implementing a system that eases access is critical.