Vorster, JIrwin, BVan Heerden, Renier P2019-04-032019-04-032018-03Vorster, J., Irwin, B. and Van Heerden, R.P. 2018. Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design. Proceedings of the 13th International Conference on Cyber Warfare and Security - ICCWS 2018, Washington DC, USA, 8-9 March 2018978-1-911218-74-6978-1-911218-73-9http://toc.proceedings.com/38822webtoc.pdfhttp://hdl.handle.net/10204/10919Due to copyright restrictions, the attached pdf is the accepted version of the published item.During the past decade, the sophistication and maturity of Enterprise-level Information Security (EIS) Standards and Systems has increased significantly. This maturity, particularly in the handling of enterprise-wide capability models, has led to a set of standards – e.g. ISO/IEC 27001, NIST 800-53, ISO/IEC 27789 and CSA CCM – that propose controls applicable to the implementation of an Information Security Management System (ISMS). By nature, the academic community is fruitful in its endeavour to propose new password schemes; and Graphical Passwords (GPs) have had many proposals for schemes. In this paper, we explore the impact of good security standards and lessons-learnt over the past decade of EID as a model of constraint on GPs schemes. The paper focuses on a number of GP schemes and points out the various security constraints and limitations, if such schemes are to be implemented at the enterprise level. First, we use standards such as NIST 800-53, the Cloud Security Association’s Cloud Control Matrix (CCM) v3 and others, to construct a subset of standards that a new authentication mechanism, such as GPs, should conform to. Next, we analyze various GP schemes and show the limitations of these schemes from an EIS perspective, given the mentioned standards. We show that some schemes are secure in their construction, but lack scalability to enterprise-wide implementations. We show that other schemes lack the ability to hash-store passwords. Yet other schemes have insecure session-password schemes. We furthermore show that some schemes claim to be implementable on top of existing password models, however, often that requires that non hash passwords are available. According to the OWASP (Open Web Application Security Project) the number two global web security issue is broken authentication and session management, trumped only by injection vulnerabilities. The paper therefore is relevant in the current security context and the global dialogue on improving security. This is the first attempt, to our knowledge, to analyze GP schemes using enterprise-level implementation constraints.enAccess managementGraphical passwordsInformation security management systemConference PresentationVorster, J., Irwin, B., & Van Heerden, R. P. (2018). Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design. Academic Conferences and Publishing International. http://hdl.handle.net/10204/10919Vorster, J, B Irwin, and Renier P Van Heerden. "Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design." (2018): http://hdl.handle.net/10204/10919Vorster J, Irwin B, Van Heerden RP, Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design; Academic Conferences and Publishing International; 2018. http://hdl.handle.net/10204/10919 .TY - Conference Presentation AU - Vorster, J AU - Irwin, B AU - Van Heerden, Renier P AB - During the past decade, the sophistication and maturity of Enterprise-level Information Security (EIS) Standards and Systems has increased significantly. This maturity, particularly in the handling of enterprise-wide capability models, has led to a set of standards – e.g. ISO/IEC 27001, NIST 800-53, ISO/IEC 27789 and CSA CCM – that propose controls applicable to the implementation of an Information Security Management System (ISMS). By nature, the academic community is fruitful in its endeavour to propose new password schemes; and Graphical Passwords (GPs) have had many proposals for schemes. In this paper, we explore the impact of good security standards and lessons-learnt over the past decade of EID as a model of constraint on GPs schemes. The paper focuses on a number of GP schemes and points out the various security constraints and limitations, if such schemes are to be implemented at the enterprise level. First, we use standards such as NIST 800-53, the Cloud Security Association’s Cloud Control Matrix (CCM) v3 and others, to construct a subset of standards that a new authentication mechanism, such as GPs, should conform to. Next, we analyze various GP schemes and show the limitations of these schemes from an EIS perspective, given the mentioned standards. We show that some schemes are secure in their construction, but lack scalability to enterprise-wide implementations. We show that other schemes lack the ability to hash-store passwords. Yet other schemes have insecure session-password schemes. We furthermore show that some schemes claim to be implementable on top of existing password models, however, often that requires that non hash passwords are available. According to the OWASP (Open Web Application Security Project) the number two global web security issue is broken authentication and session management, trumped only by injection vulnerabilities. The paper therefore is relevant in the current security context and the global dialogue on improving security. This is the first attempt, to our knowledge, to analyze GP schemes using enterprise-level implementation constraints. DA - 2018-03 DB - ResearchSpace DP - CSIR KW - Access management KW - Graphical passwords KW - Information security management system LK - https://researchspace.csir.co.za PY - 2018 SM - 978-1-911218-74-6 SM - 978-1-911218-73-9 T1 - Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design TI - Violations of good security practices in graphical passwords schemes: Enterprise constraints on scheme-design UR - http://hdl.handle.net/10204/10919 ER -