GENERAL ENQUIRIES: Tel: + 27 12 841 2911 | Email:

Show simple item record Vorster, J Irwin, B Van Heerden, Renier P 2019-04-03T09:18:39Z 2019-04-03T09:18:39Z 2018-03
dc.identifier.citation Vorster, J., Irwin, B. and Van Heerden, R.P. 2018. Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design. Proceedings of the 13th International Conference on Cyber Warfare and Security - ICCWS 2018, Washington DC, USA, 8-9 March 2018 en_US
dc.identifier.isbn 978-1-911218-74-6
dc.identifier.isbn 978-1-911218-73-9
dc.description Due to copyright restrictions, the attached pdf is the accepted version of the published item. en_US
dc.description.abstract During the past decade, the sophistication and maturity of Enterprise-level Information Security (EIS) Standards and Systems has increased significantly. This maturity, particularly in the handling of enterprise-wide capability models, has led to a set of standards – e.g. ISO/IEC 27001, NIST 800-53, ISO/IEC 27789 and CSA CCM – that propose controls applicable to the implementation of an Information Security Management System (ISMS). By nature, the academic community is fruitful in its endeavour to propose new password schemes; and Graphical Passwords (GPs) have had many proposals for schemes. In this paper, we explore the impact of good security standards and lessons-learnt over the past decade of EID as a model of constraint on GPs schemes. The paper focuses on a number of GP schemes and points out the various security constraints and limitations, if such schemes are to be implemented at the enterprise level. First, we use standards such as NIST 800-53, the Cloud Security Association’s Cloud Control Matrix (CCM) v3 and others, to construct a subset of standards that a new authentication mechanism, such as GPs, should conform to. Next, we analyze various GP schemes and show the limitations of these schemes from an EIS perspective, given the mentioned standards. We show that some schemes are secure in their construction, but lack scalability to enterprise-wide implementations. We show that other schemes lack the ability to hash-store passwords. Yet other schemes have insecure session-password schemes. We furthermore show that some schemes claim to be implementable on top of existing password models, however, often that requires that non hash passwords are available. According to the OWASP (Open Web Application Security Project) the number two global web security issue is broken authentication and session management, trumped only by injection vulnerabilities. The paper therefore is relevant in the current security context and the global dialogue on improving security. This is the first attempt, to our knowledge, to analyze GP schemes using enterprise-level implementation constraints. en_US
dc.language.iso en en_US
dc.publisher Academic Conferences and Publishing International en_US
dc.relation.ispartofseries Worklist;22337
dc.subject Access management en_US
dc.subject Graphical passwords en_US
dc.subject Information security management system en_US
dc.title Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design en_US
dc.type Presentation en_US

Files in this item

This item appears in the following Collection(s)

Show simple item record

Search ResearchSpace

Advanced Search


My Account