Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design

Abstract

During the past decade, the sophistication and maturity of Enterprise-level Information Security (EIS) Standards and Systems has increased significantly. This maturity, particularly in the handling of enterprise-wide capability models, has led to a set of standards – e.g. ISO/IEC 27001, NIST 800-53, ISO/IEC 27789 and CSA CCM – that propose controls applicable to the implementation of an Information Security Management System (ISMS). By nature, the academic community is fruitful in its endeavour to propose new password schemes; and Graphical Passwords (GPs) have had many proposals for schemes. In this paper, we explore the impact of good security standards and lessons-learnt over the past decade of EID as a model of constraint on GPs schemes. The paper focuses on a number of GP schemes and points out the various security constraints and limitations, if such schemes are to be implemented at the enterprise level. First, we use standards such as NIST 800-53, the Cloud Security Association’s Cloud Control Matrix (CCM) v3 and others, to construct a subset of standards that a new authentication mechanism, such as GPs, should conform to. Next, we analyze various GP schemes and show the limitations of these schemes from an EIS perspective, given the mentioned standards. We show that some schemes are secure in their construction, but lack scalability to enterprise-wide implementations. We show that other schemes lack the ability to hash-store passwords. Yet other schemes have insecure session-password schemes. We furthermore show that some schemes claim to be implementable on top of existing password models, however, often that requires that non hash passwords are available. According to the OWASP (Open Web Application Security Project) the number two global web security issue is broken authentication and session management, trumped only by injection vulnerabilities. The paper therefore is relevant in the current security context and the global dialogue on improving security. This is the first attempt, to our knowledge, to analyze GP schemes using enterprise-level implementation constraints.