Usage of weak passwords for authentication within an organization can be exploited during cyberattacks leading to unauthorized account access, DoS etc. Password policies came into being in an attempt to encourage users to create more complex and diverse passwords. However, it has been observed that people create passwords with similar patterns. Security training has been found to be a popular mechanism in an enterprise setting. Among various training methods, text-based training like reading documents has been said to be monotonous. However, interactive games are found to be helpful and immersive when it comes to training in cybersecurity. Considering this, we intended to provide an interactive training experience to the employees of ourorganization by following a game-based password awareness methodology. We utilized the heuristics from the previous study to create a comprehensive training method in order to teach password practices. Heuristics, in the context of this study, denote the techniques or practices that have to be satisfied to improve the overall password strength. For example, a heuristic like “Not more than three consecutive repeating characters” will be satisfied if the created password does not have more than three consecutive repeating characters. We conducted the game-based experiment as a part of our organization’s annual information security awareness week. The online 2D web game titled Passworld focuses on enterprise password training, with little compromise on the fun element of gameplay.

We decided on providing a positive gameplay experience by intertwining password awareness with a platformer-based game, where both intrinsic motivation of fun element of gameplay as well as extrinsic motivation like rewards and benefits merge. Passworld was made to have a gameplay experience similar to that of certain classic games to create a positive mindset in players, through a feeling of nostalgia. We chose a horizontal, jungle-based platformer game considering the non- monotonous gameplay factor, game time, interactions and visuals, and the analogy that reflects real-life scenario of password attacks. We tried to relate the real world to our game through the following design choices:

[A] Open-interconnected world: The real cyber world is always open and interconnected. Therefore, we chose a jungle environment, where chances of cyber- attacks are high, if we do not follow proper security measures. 

The game storyline is based in a fictional world. The gameplay of a level starts with a pre-test, then the game, followed by a post-test. The game consists of two levels, Level 1 and Level 2, and each level consists of different sequential stages for pre-test, gameplay, password creation, distraction task, password recall, and post-test (Figure 1).​​​​​​​

Based on our design choices, we framed our game story and various gameplay elements, as follows:

Jungle environment: The protagonist, Soma, is an archaeologist who is in search of two ancient artifacts that were lost years ago in a land called “Passworld”. Soma has to travel two days and two nights through the jungles of Passworld to find them (Figure 2). The two days are represented by Level 1 and Level 2 gameplays.

Securely storing the artifact: Since the ancient artifacts are precious, Soma has to store them after collecting, to protect them from being stolen. This is done by creating strong gates (analogous to secure passwords) around Soma’s camp. This happens in the two password creation stages (Figure 4), represented by two nights.

Learning the password heuristics: In the two main levels, the players can interact with oncoming animals during gameplay to learn about various password heuristics (Figure 3). Every oncoming animal will raise the curiosity of the player by showing basic heuristic details as a riddle (E.g. Fox in. Figure 2).  The player can choose to “know more” about a particular heuristic by clicking the animal’s heuristic text. This will pop up a detailed description of the heuristic and certain statistics associated with it (Figure 3).

If these heuristics are not satisfied during each password creation stage, the corresponding animal will attack the password gate (Figure 5), and enter the camp. This also signifies how a password meter checks for various heuristics. While in password meter, the users are not required to satisfy all the password heuristics in an entered password, our game has this requirement as we wanted to teach all the available heuristics to the users and tell them that every single one of them is important.

Resource gathering: The resources for creating these gates are obtained throughout the journey, in the form of tablets with character classes mentioned as L, U, D, and S (Lowercase, Uppercase characters, Digits, and Symbols) (Figure 7). In real life, these character classes are required for creating a password.

Creation of password gates: Once the player collects the artifacts, stores them using secure password gates (Figure 4), they complete one full day in the game. We introduced two activities post each password creation stage that act as distraction tasks. Distraction tasks distract the players for a brief period after password entry, to encourage them to create memorable passwords. Our tasks are two mini activities that ask the players to arrange certain items correctly (using drag and drop) to a) Ignite a campfire b) Cook food (Figure 8).

This password recall stage is where password memorability is tested. If players fail a level, it can be replayed again. The game did not have timers as these might have created unwanted sense of urgency that could have limited gameplay experience. Passworld used simple controls with arrow keys for navigation, jumping, and mouse clicks for selections.

Instructions: The oncoming animals provide instructions on various heuristics to the players. We added different animals to provide a visual identity to each heuristic, to make it more memorable. The same heuristic information is also available during password creation stages to help users learn the password creation strategies. Therefore, players who feel reading the information during gameplay is disruptive can read it at a further time, while creating the password. The heuristics are taught one at a time, but at the end of the level, the created password should incorporate all these heuristics. Even though a strong password does not need all these heuristics to be satisfied, we did this in order to teach and make the users understand that every heuristic is important.

Feedback: As soon as the player enters a password during the password creation stage, immediate feedback is received, indicating to them the potential vulnerabilities within the password entered. The study on adaptive password blacklisting policies [38] introduces an interface to provide the users with suggestions on modifying passwords to conform to the policies. We used our study to make this process voluntary. We did not provide suggestions to the users, but only feedback on if they satisfied certain password heuristics or not.

Password Heuristics: The game trains in a set of 16 password heuristics, with each heuristic being tagged to a particular animal (as shown in Table 1). A previous study by Ur, et al. found them to be effective in increasing password strength. These password heuristics, categorized as two sets based on increasing complexity, were added to the two game levels. The first level has basic password requirements like length (H1), presence of character classes (H2-H5), alphabetic sequences (H9) etc. of which, H1-H5 were part of our organization’s default password policies. The second level focuses on the heuristics from the first level along with new heuristics that check formatting, repeated sections in passwords, date formats etc. A set of common words related to the organization (classified as “blacklisted” passwords) were added as a check as well. We also compared user created password structures with over 2,124 structures obtained from the previous study. These heuristics were also clustered based on the common characteristics they possess, as C1 having basic password heuristics, C2 with character sequences, C3 with predictable positions, C4 having certain patterns, and C5 with the blacklists. We have taught these heuristics through the game’s main levels, and let the players incorporate these heuristics while creating the passwords in password creation stages, thus letting the players demonstrate what they have learnt.

How User Created Passwords are Checked: The game checks users’ passwords through the following steps:

A] As soon as a player uses the resources (L, U, D, and S) to form a password gate, default checks for length and presence of all character classes are done. If any of them is not satisfied, the game shows appropriate error messages to the player instantly.

B] Once the password satisfies the basic criteria, the password heuristics evaluation begins.

C] For each heuristic, an animal approaches the gate (cf. Figure 5). If the corresponding heuristic is satisfied, the animal leaves (cf. Figure 6); else, it attacks the gate and enters the camp resulting in a penalty as loss of life. This process repeats until all level heuristics are satisfied (level cleared) or when all life is lost (level failed). After this, the player continues to the next level or goes back to the start of the level respectively.

The goals of our study were to find the effectiveness of a game-based enterprise password awareness training on various password heuristics, and to identify if such a training could be beneficial to enterprise password diversity. Previous studies show that game-based methods have shown better results than text-based means, when it comes to cybersecurity training. We utilized this result to test if games could help in password awareness training, and we measured this using pre and post-tests along with the game. The following sections show our study procedure and evaluation results.

Participant Demographics
Game participants were employees of our organization. They were recruited for the study using mailers about the game. Interested participants clicked on the game URL within the mail to access the game. Though equipped with computer knowledge, the participants had varied understanding of gaming and password awareness. Passworld was online for one month and was played by 4,906 participants from around the globe. We selected a set of lucky winners from the participants who completed the game (20 people per day), and rewarded each of them using our organization’s equivalent of virtual currency (with a monetary value of approximately $4). 

Procedure
We organized the study as a three-step methodology. Initially the participants had to answer a pre-test (step 1). This was followed by the actual gameplay (step 2) and then the post-test (step 3). The participants accessed the game using their respective devices and those participants who completed all the game levels from beginning to end were included in our evaluation. Only the first successful attempt of completion was used in our data analysis, even though many participants returned to play the game more than once. We measured the attempt count by tracking the “participant id” of participants, which was assigned based on their hashed email addresses. Evaluation on users’ password knowledge improvement was done by analyzing their responses to the pre- and post-tests, and the password structures entered by them during the password creation stage.

Each test question covered a password heuristic. The pre- and post-test questions followed a similar format asking players to select the relatively weaker password between two given choices. We created the password choices by picking suitable passwords from leaked databases and minimally modifying them to be able to test a particular heuristic, similar to the method followed in earlier study. For example, to test H13 (predictable position of uppercase character) we chose the password “brooklyn” from the leaked database, and created the password pair comprising of “Brooklyn” and “brooklYn”, of which the former is weaker as the uppercase character is at a very predictable position. This method was extended to the password pairs of other questions as well. Participants were also asked to provide their confidence ratings for every answer. 

We evaluated the impact of our game-based training on users’ password creation strategies. We were also interested in the changes in users’ knowledge levels when it came to password practices by measuring correct answers given for pre and post-tests. We tried to answer our initial research questions through the study. Participants created 17319 passwords, that fell in 11286 different Password Structures.

Research Q1: We checked the players’ correct answer percentages in both pre-and post-tests and analysed this to fond out improvements in users knowledge levels. We asked the players 24 questions, 12 each in pre and post-level tests. The average number of correct answers increased from 5.96 (pre-test, SD=2.3) to 6.57 (post-test, SD=2.69). A statistically significant difference was observed with respect to the correct answers given by participants in the tests before and after the game (two-tailed paired t-test, t(4905) = -19.35, p < .001).

Research Q2: We analyzed the changes in password structures created by participants both levels and found that there is a visible spread in the common structures found. Participants showed improvements in many complex heuristics like predictable positions of symbol, digits, date formats etc. Password structure showed diversity after game-based training, with over 90% of unique password structures created in level 2. Some heurists showed decrease in performance, showing that they will need further training (may be with reduced heuristics overload).

Game Feedback: As per the feedback data 93.50% participants agreed the game to be fun (M = 4.42, SD = 0.69), 93.85% (M= 4.42, SD= 0.68) found the game to be educational and 94.24% (M= 4.48, SD = 0.68) considered they have learned about secure password practices.

Conclusions
The Passworld game was designed to provide awareness on various password heuristics to enterprise users. The main objectives of our study were to find 1) if a game-based training could teach users on password heuristics 2) if such a training on heuristics could improve organizational password diversity. We used the password heuristics from a previous study for teaching, and we checked if the users satisfied every one of these heuristics during their password creation. Our intention was different from the previous study, where satisfying all the heuristics was not mandatory. We intended to teach the users about the importance of each heuristic, and wanted to see how many users successfully implemented what they learnt. We presented the results from our enterprise study with 4,906 participants. Even though our study was a standalone study, without a control condition, we found that after playing the game, the correctness and confidence levels of the participants have increased. The password structures created by the participants have shown more diversity post gameplay. This, along with the positive feedback, shows that the gameplay has helped the participants learn the concepts to implement diverse and memorable passwords. We believe that this trend, when followed in real life, would result in organizational password diversity.

We recommend the launch of such training methods in an organizational environment to ensure that users learn about password heuristics and incorporate them while creating passwords to promote diversity in password structures. This could be a deciding factor when it comes to organizational password security.

Recommendations for further study follow. First, the study could be carried out on a set of wider demographics, with different levels of understanding of security concepts and learning backgrounds. To reduce the information overload, we propose a gradual learning with one set of heuristics, followed by another set. Training on patterns (like alphabetic sequences, keyboard patterns etc.) could be done separately to lay emphasis on it. A methodology to evaluate users’ password memorability over long periods could also be beneficial in proposing further learning goals. We aim to explore further areas of password and cybersecurity education through interactive gameplay experiences.

1) Passworld: A Serious Game to Promote Password Awareness and Diversity in an Enterprise, Gokul CJ, Gangadhara Sirigireddy, Sukanya Vaddepalli, Vijayanand Banahatti, Sachin Lodha and Sankalp Pandit. 16th Symposium on Usable Privacy and Security (SOUPS 2020)

2) Gamifying Password Training Shows Security Benefits, NEWS Article in Darkreading.com on August 10, 2020.

Patent filed: METHOD AND SYSTEM FOR DYNAMIC GENERATION OF PASSWORD HEURISTICS Patent field in India, Indian Patent Application No 202121042559 (2021)

----------------------------------------------------
Team size: (min-max): 2-3
Technology: JAVA/J2EE, JavaScript
My Role: Team Lead
My Contribution:  Problem formulation, Brainstorming, Game Experiment Design, Data Analysis, Team coordination.
----------------------------------------------------

Acknowledgment: All the game animation done by Gokul CJ (my team member)