=Paper=
{{Paper
|id=Vol-3676/BISEC_paper_3
|storemode=property
|title=Gamification as a Tool for Elevating Password Strength Awareness
|pdfUrl=https://ceur-ws.org/Vol-3676/short_03.pdf
|volume=Vol-3676
|authors=Miloš Kostić,Igor Saveljić
|dblpUrl=https://dblp.org/rec/conf/bisec/KosticS23
}}
==Gamification as a Tool for Elevating Password Strength Awareness==
https://ceur-ws.org/Vol-3676/short_03.pdf
Gamification as a Tool for Elevating Password Strength
Awareness
Miloš Kostić1,* , Igor Saveljić1
1
Faculty of Information Technology, Belgrade Metropolitan University, Tadeuša Košćuška 63, 11000 Belgrade, Serbia
Abstract
In modern society, where users are confronted with the necessity of managing an ever-growing number of personal profiles
and accounts, low password security awareness remains a significant vulnerability in cybersecurity. Despite the existence of
numerous tools designed for password safekeeping, educating users and broadening their knowledge of password strength and
related cybersecurity risks cannot be understated. The popularity of gamification as an educational technique for overcoming
challenges in different domains, mostly related to the lack of motivation and attention, has grown in recent years. This paper
explores the concept of a two-dimensional game in which players face specific challenges aimed at replacing existing weak
passwords with new, stronger ones, while avoiding the loss of access to various platforms. Time constraints and simulated
cyber-attacks enhance the learning process and underscore the importance of the analyzed topic.
Keywords
Gamification, Security awareness, Games-based learning, Human-centered cybersecurity
1. Introduction 2. Importance of password
In the digital age, our society increasingly relies on the strength awareness
Internet for various aspects of our lives, from banking
The Internet presents numerous potential risks when
to e-commerce. Transactions conducted online often
browsing the web, such as interacting with malicious
require the exchange of personal information, such as
websites and domains, using inadequately constructed
home addresses and credit card details. Within this digital
and weak passwords, responding to phishing emails and
landscape, passwords continue to serve as the primary
messages etc. These risks can place users in dangerous
authentication mechanism for accessing online services.
situations [1]. Various methods have been employed to
Ensuring users remain secure while using passwords is of
raise user security awareness during online transactions.
paramount importance. This paper seeks to address the
With the prevalence of password-related vulnerabilities,
critical need to enhance security awareness and promote
research efforts have predominantly concentrated on the
better password practices through the implementation
creation and enhancement of security awareness tools
of gamification techniques.
aimed at fortifying password security.
Importance of raising password strength awareness
Users often grapple with the creation and retention
and concept of gamification and its application within
of strong, secure passwords, leading to various studies
the context of the learning environment will be explored
aimed at addressing this issue [2, 3, 4]. Experience has
within this paper. Additionally, an concept overview of a
revealed that the prevalent method of incorporating pass-
two-dimensional game (“Lockedout”) in which players
word meters into password creation forms can frequently
face specific challenges aimed at replacing existing weak
create a false sense of security. This is often attributed
passwords with new, stronger ones, while avoiding the
to the shortcomings in many of the available password
loss of access to various platforms will be presented.
meter algorithms, which may incorrectly label weak or
poorly defined passwords as strong [5, 6]. Research sug-
gests that additional factors should be considered when
using password meters, such as user perceptions of ac-
count importance, as opposed to solely relying on the
feedback provided by the meter. It becomes evident that
BISEC’23: 14th International Conference on Business Information password meters alone may not be sufficient in raising
Security, November 24, 2023, Niš, Serbia awareness and encouraging the creation of secure pass-
*
Corresponding author. words.
$ milos.kostic@metropolitan.ac.rs (M. Kostić); Persuasive messages intended to instill fear by outlin-
igor.saveljic@metropolitan.ac.rs (I. Saveljić)
� 0009-0005-0912-9518 (M. Kostić); 0000-0002-0707-5174
ing the possible consequences of non-compliance have
(I. Saveljić) also been investigated as a means to boost security aware-
© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License
Attribution 4.0 International (CC BY 4.0).
ness. By educating end-users on the importance of pass-
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
�word strength and heightening their awareness of asso-
ciated risks, this approach has proven effective in moti-
vating users to craft more robust passwords.
Despite ongoing efforts, issues with password hygiene
persist, highlighting the necessity for more effective ways
to convey password security information to users.
3. Gaminfication
Figure 1: Current game title/logo design.
Gamification is often described as the application of game
design principles in non-gaming contexts [6, 7]. However,
it encompasses more than just incorporating elements
from games. It encompasses the infusion of game think-
ing into non-game scenarios, involving elements such as:
player control, rewards, progress mechanics, collabora-
tive problem-solving, storytelling, and even competition.
At its core, gamification seeks to motivate individuals
to change their behavior, primarily through enhanced
engagement and motivation.
Research and recent studies have unveiled numerous
instances where competitive elements successfully en-
couraged participants to change their behavior [6, 8]. The
inclusion of competitive and cooperative elements in non- Figure 2: Password change UI.
game contexts exemplifies the integration of gamification.
Such gamified contexts provide a safe environment for
participants to practice and hone their skills under pres-
4.1. Game Structure
sure, fostering an environment of controlled learning
and adaptation. Despite the growing popularity of digital In terms of UI/UX elements, "Lockedout" will revolve
or online gamified environments, gamification can also around the visible borders of a computer monitor, featur-
be seamlessly incorporated into tabletop contexts, using ing a fictional operating system (OS) hosting five simu-
elements from card games or board games. lated computer applications. Additionally, an OS Guard,
Studies consistently indicate a preference for gami- akin to antivirus software, will facilitate player interac-
fied environments over their non-gamified counterparts tions within the game and provide essential narrative
among participants. The advantages of increased engage- elements and guidance (Figure 2.). Each of the computer
ment, motivation, and skill development make gamifica- applications will possess its own interface, complete with
tion an attractive proposition for cybersecurity educa- predefined content, and will serve as representations of
tion and awareness. Nevertheless, a detailed investiga- significant daily activities necessitating robust password
tion into the precise application of gamification within protection:
existing cybersecurity awareness contexts remains an
underexplored area. • Email communication
• Socializing with friends
• Online shopping
4. “Lockedout” – Game concept • Engaging with social media
• Managing bank account and transactions
"Lockedout" is a 2D pixel art time challenge game de-
signed to educate players about prevalent cybersecurity A fully operational password checker, featuring a pass-
risks and underscore the critical importance of password word strength indicator and corrective notifications, will
strength. It embraces a pixelated aesthetic reminiscent serve as a key gameplay mechanic. The flow of gameplay
of video games from the 1980s and 1990s, deliberately will be regulated by a predefined scenario and relevant
chosen to infuse a sense of charm and playfulness into timers.
the overall gaming experience. An imaginary hacker or hacker group will also be fea-
The game’s title (Figure 1.), "Lockedout," is a wordplay tured in the narrative; however, they will not be directly
carefully selected to convey the concept of being virtually portrayed within the game.
locked out due to password-related issues.
�Figure 3: OS Login screen. Figure 5: MyPasswords.txt document preview.
Figure 4: Desktop. Figure 6: “Chat” app UI.
4.2. Gameplay scenario their city. As the player begins to respond to the message
First element of player-game interaction represents an (or when a short timer elapses due to player inactivity),
old computer monitor with an operating system login they are abruptly logged out of the chat application.
window (Figure 3). Several sticky notes are scattered An OS Guard notification then appears, warning the
across the monitor frame, with login and password care- player of an ongoing cyberattack (Figure 6) and prompt-
lessly written on them. Player needs to use these written ing them to change their password to protect their ac-
credentials in order to access the system. count. Subsequent pop-ups follow, indicating attacks on
Upon entering the desktop, the player encounters a other applications, heightening tension.
file named "MyPasswords.txt" and five distinct computer Each app screen displays a red timer, reflecting the time
application icons on the taskbar: "Email," "Bank," "Chat," remaining for the player to enter their old password and
"Social," and "Shopping" (Figure 4.) generate a new, robust one. Timer durations are based on
At this stage„ player can access the text document, or the application’s importance, with the bank application’s
see the interface of each application and read predefined timer set to the shortest duration, emphasizing its critical
content. The text document (Figure 4) holds passwords nature. The chat and social media apps enjoy slightly
for each application, shockingly weak and representa- longer timers.
tive of statistically some of the most commonly used In addition to time constraints, the player faces a lim-
passwords in the world: ited number of password change attempts, with each
password required to be unique and meet predefined
• Email: "123456" strength criteria. Throughout this phase of the game, OS
• Bank: "password123" Guard occasionally provides essential feedback and tips
• Chat: "letmein" on password strength, and the password check window
• Social: "qwerty" informs the player of unsuccessful attempts, specifying
• Shopping: "shopping123" the contributing factors.
If the timer expires on an application or if the player
Upon a short interval, a visual and audio notification accumulates too many failed attempts to change a pass-
triggers within the “Chat” app (Figure 5), revealing a mes- word, the hacker takes control of the app account, en-
sage from a friend inquiring about recent data breaches in
� different difficulty levels will be implemented to cater to
beginners and more advanced users.
5. Conclusion and future work
The gamification of password security education, exem-
plified by "Lockedout: Password Defense," marks a sig-
nificant innovation in the realm of digital security in-
struction. Password security is an indispensable facet of
modern life, and yet, conventional methods of education
in this domain often fall short in terms of engagement
Figure 7: Guard prompt when system is under cyberattack. and efficacy. By embracing gamification, this chapter has
demonstrated the potential to transcend these limitations
and foster a more interactive, enjoyable, and impactful
gaging in malicious activities such as sending phishing learning experience.
emails, creating compromising posts, or initiating friend "Lockedout" reinforces the significance of strong and
requests. unique passwords while actively promoting good prac-
The primary objective of the game is to safeguard tices and awareness. This approach is not only informa-
as many accounts as possible. Successfully changing tive but also enjoyable, creating a transformative learning
all passwords with strength and uniqueness enables the experience. "Lockedout" should represent a small step
player to defeat the hacker’s attempts and receive a con- toward enhancing password security education. Its gam-
gratulatory victory screen. Conversely, the game con- ification principles will provide an innovative path for
cludes with a loss if the player loses access to the "Bank" teaching users about the importance of strong passwords,
app or if two or more other accounts are compromised. making the educational journey more engaging and, ulti-
Following either a win or a loss, an epilogue provides mately, more effective.
a summary of best practices for password security. It Future work considers completion and refinement of
further explains why the passwords in the initial textual all required graphics and audio elements. The game will
document were weak. Players are granted the option be developed in the Unity engine, utilizing the C# pro-
to delve deeper into password security through links to gramming language. This development phase includes
additional resources or tutorials. the implementation and customization of the password-
checking algorithm. Additionally, extensive testing and
4.3. Educational and informative aspects optimization procedures will be conducted to ensure a
seamless and robust gaming experience.
The game’s narrative seamlessly integrates educational
content into the player’s journey, resulting in an engag-
ing and immersive learning experience. It ensures that Acknowledgment
players develop a nuanced understanding of the risks
This paper was supported by the Blockchain Technol-
associated with weak passwords, highlighting poor prac-
ogy Laboratory at Belgrade Metropolitan University, Bel-
tices such as storing login data in easily accessible loca-
grade, Serbia.
tions like sticky notes or files on the computer desktop.
"Lockedout" offers in-game tutorials and pop-up tips
to educate players on password strength, complexity, and References
the significance of unique passwords. Real-time feedback
on password strength, accompanied by explanations of [1] L. A. Shepherd, J. Archibald, R. I. Ferguson, Percep-
the criteria for robust passwords, enhances the learning tion of risky security behaviour by users: Survey of
process. current approaches, in: Human Aspects of Informa-
After each playthrough, an informative summary re- tion Security, Privacy, and Trust: First International
inforces the importance of sound password practices, Conference, HAS 2013, Held as Part of HCI Inter-
providing practical guidance. Furthermore, a dedicated national 2013, Las Vegas, NV, USA, July 21-26, 2013.
section invites players to delve deeper into the subject, Proceedings 1, Springer, 2013, pp. 176–185.
offering supplementary resources to expand their knowl- [2] S. L. Pfleeger, D. D. Caputo, Leveraging behavioral
edge. science to mitigate cyber security risk, Computers
To ensure that game is accessible to players with vari- & security 31 (2012) 597–611.
ous levels of gaming and technical experience, potentially
�[3] S. Cohen, W. Nutt, Y. Sagiv, Deciding equivalences
among conjunctive aggregate queries, Journal of the
ACM (JACM) 54 (2007) 5–es.
[4] J. M. Stanton, K. R. Stam, P. Mastrangelo, J. Jolton,
Analysis of end user security behaviors, Computers
& security 24 (2005) 124–133.
[5] X. D. C. D. Carnavalet, M. Mannan, A large-scale
evaluation of high-impact password strength me-
ters, ACM Transactions on Information and System
Security (TISSEC) 18 (2015) 1–32.
[6] S. Scholefield, L. A. Shepherd, Gamification tech-
niques for raising cyber security awareness, in: HCI
for Cybersecurity, Privacy and Trust: First Interna-
tional Conference, HCI-CPT 2019, Held as Part of
the 21st HCI International Conference, HCII 2019,
Orlando, FL, USA, July 26–31, 2019, Proceedings 21,
Springer, 2019, pp. 191–203.
[7] G. Fink, D. Best, D. Manz, V. Popovsky, B. Endicott-
Popovsky, Gamification for measuring cyber secu-
rity situational awareness, in: Foundations of Aug-
mented Cognition: 7th International Conference,
AC 2013, Held as Part of HCI International 2013,
Las Vegas, NV, USA, July 21-26, 2013. Proceedings 7,
Springer, 2013, pp. 656–665.
[8] I. Rieff, Systematically applying gamification to cy-
ber security awareness trainings, 2018.
�