GAP: A Game for Improving Awareness About Passwords

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11243)


Text-based password is the most popular method for authenticating users on the internet. However, despite decades of security research, users continue to choose easy-to-guess passwords to protect their important online accounts. In this paper, we explore the potential of serious games to educate users about various features that negatively impact password security. Specifically, we designed a web-based casual game called GAP and assessed its impact by conducting a comparative user study with 119 participants. The study results show that participants who played GAP demonstrated improved performance in recognizing insecure password features than participants who did not play GAP. Besides having educational value, most of the participants also found GAP fun to play.


Serious games Passwords Security Human factors 


  1. 1.
    Casual Games Association: Casual Games Sector Report. Accessed 10 August 2018
  2. 2.
    National Research Council, et al.: How People Learn: Bridging Research and Practice. National Academies Press, Washington, D.C. (1999)Google Scholar
  3. 3.
    Bowes, R.: Passwords. Accessed 10 August 2018
  4. 4.
    de Carné de Carnavalet, X., Mannan, M.: From very weak to very strong: analyzing password-strength meters. In: NDSS 2014. Internet Society (2014)Google Scholar
  5. 5.
    Chesham, A., Wyss, P., Müri, R.M., Mosimann, U.P., Nef, T.: What older people like to play: genre preferences and acceptance of casual games. JMIR Serious Games 5(2), e8 (2017)CrossRefGoogle Scholar
  6. 6.
    Connolly, T.M., Boyle, E.A., MacArthur, E., Hainey, T., Boyle, J.M.: A systematic literature review of empirical evidence on computer games and serious games. Comput. Educ. 59(2), 661–686 (2012)CrossRefGoogle Scholar
  7. 7.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS 2014, pp. 23–26. Internet Society (2014)Google Scholar
  8. 8.
    Denning, T., Lerner, A., Shostack, A., Kohno, T.: Control-Alt-Hack: the design and evaluation of a card game for computer security awareness and education. In: CCS 2013, pp. 915–928 (2013)Google Scholar
  9. 9.
    Dickey, M.D.: Engaging by design: how engagement strategies in popular computer and video games can inform instructional design. Educ. Technol. Res. Dev. 53(2), 67–83 (2005)CrossRefGoogle Scholar
  10. 10.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007, pp. 657–666 (2007)Google Scholar
  11. 11.
    Gerling, K., Fuchslocher, A., Schmidt, R., Krämer, N., Masuch, M.: Designing and evaluating casual health games for children and teenagers with cancer. In: Anacleto, J.C., Fels, S., Graham, N., Kapralos, B., Saif El-Nasr, M., Stanley, K. (eds.) ICEC 2011. LNCS, vol. 6972, pp. 198–209. Springer, Heidelberg (2011). Scholar
  12. 12.
    Grimes, A., Kantroo, V., Grinter, R.E.: Let’s play! Mobile health games for adults. In: Ubicomp 2010, pp. 241–250. ACM (2010)Google Scholar
  13. 13.
    Hendrix, M., Al-Sherbaz, A., Victoria, B.: Game based cyber security training: are serious games suitable for cyber security training? IJSG 3(1), 53–61 (2016)CrossRefGoogle Scholar
  14. 14.
    Hunt, T.: Pwned passwords. Accessed 10 August 2018
  15. 15.
    Kuittinen, J., Kultima, A., Niemelä, J., Paavilainen, J.: Casual games discussion. In: Proceedings of the 2007 Conference on Future Play, pp. 105–112. ACM (2007)Google Scholar
  16. 16.
    Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: CCS 2013, pp. 173–186. ACM (2013)Google Scholar
  17. 17.
    Morrison, C.: Casual Gaming Worth \$2.25 Billion, and Growing Fast. Accessed 10 August 2018
  18. 18.
    NPD: The NPD Group: 37 Percent of U.S. Population Age 9 and Older Currently Plays PC Games. Accessed 10 August 2018
  19. 19.
    NPS: Cyberciege (2004). Accessed 10 August 2018
  20. 20.
    Phaser: Desktop and Mobile HTML5 Game Framework. Accessed 10 August 2018
  21. 21.
    ProofPoint: Wombat Security Technologies. Accessed 10 August 2018
  22. 22.
    Reimers, S., Stewart, N.: Presentation and response timing accuracy in Adobe Flash and HTML5/JavaScript web experiments. Behav. Res. Methods 47(2), 309–327 (2015)CrossRefGoogle Scholar
  23. 23.
    Rittle-Johnson, B., Koedinger, K.R.: Comparing instructional strategies for integrating conceptual and procedural knowledge (2002)Google Scholar
  24. 24.
    Schroth, M.L.: The effects of delay of feedback on a delayed concept formation transfer task. Contemp. Educ. Psychol. 17(1), 78–82 (1992)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Shay, R., et al.: Encountering stronger password requirements: user attitudes and behaviors. In: SOUPS 2010, pp. 2:1–2:20 (2010)Google Scholar
  26. 26.
    Sheng, S., et al.: Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish. In: SOUPS 2007, pp. 88–99 (2007)Google Scholar
  27. 27.
    Squire, K.D.: Video game-based learning: an emerging paradigm for instruction. Perform. Improv. Q. 21(2), 7–36 (2008)CrossRefGoogle Scholar
  28. 28.
    Ur, B., et al.: “I added ‘!’ at the end to make it secure”: observing password creation in the lab. In: SOUPS 2015, pp. 123–140. USENIX Association (2015)Google Scholar
  29. 29.
    Wiemker, M., Elumir, E., Clare, A.: Escape room games. Game Based Learn. (2015)Google Scholar
  30. 30.
    Wouters, P., Van Nimwegen, C., Van Oostendorp, H., Van Der Spek, E.D.: A meta-analysis of the cognitive and motivational effects of serious games. J. Educ. Psychol. 105(2), 249 (2013)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.TCS ResearchPuneIndia
  2. 2.IIT BombayMumbaiIndia

Personalised recommendations