Building and Testing a gamified app for generating strong and memorable passwords: an exploratory study in cybersecurity
Abstract
Although the use of online services has increased in the last decade, the strength of passwords created by users has remained at concerning levels. The aim of this study was to develop and evaluate the efficiency of a gamified app in fostering the behavior of "designing strong passwords". Ten adults with an average age of 22.45 years participated over a nine-day period. Compared to conventional password generation algorithms, passwords generated by our app performed 68.43% better in a memorization test, 4.87% better in a typing test, and 60.38% better in a combined test. Our approach proved to be promising in promoting strong and memorable passwords.References
8bit Solutions. (2016). Bitwarden Open-Source Password Manager. Disponível em: [link]. Acesso em: 23 de novembro de 2023.
Abdrabou, Y., Abdelrahman, Y., Khamis, M., and Alt, F. (2021). Think harder! Investigating the effect of password strength on cognitive load during password creation. In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems (CHI EA ‘21) (pp. 1-7). New York: ACM. DOI: 10.1145/3411763.3451636
Arantes, A. K. L., Mello, E. L., and Domeniconi, C. (2012). Memória. In M. M. C. Hübner and M. B. Moreira (Orgs.), Temas clássicos da psicologia sob a ótica da análise do comportamento (pp. 56-73). Rio de Janeiro: Guanabara Koogan.
Azlan, Z. H. Z., and Junaini, N. S. (2023). Erudite Survivor: Usability testing of a gamification-based mobile app for disaster awareness among children. Journal of Advanced Research in Applied Sciences and Engineering Technology, 31(3), 290-298. DOI: 10.37934/araset.31.3.290298
Azoubel, M. S., and Pergher, N. K. (2017). Levantamento sobre a utilização de jogos na Análise do Comportamento Aplicada. Perspectivas em Análise do Comportamento, 8(2), 215-225. DOI: 10.18761/PAC.2016.014
Bai, S., Hew, F. K., and Huang, B. (2020). Does gamification improve student learning outcome? Evidence from a meta-analysis and synthesis of qualitative data in educational contexts. Educational Research Review, 30, 100322. DOI: 10.1016/j.edurev.2020.100322
Bonk, C., Parish, Z., Thorpe, J., and Salehi-Abari, A. (2021). Long passphrases: Potentials and limits. In 18th International Conference on Privacy, Security and Trust (PST) (pp. 1-7). New York: IEEE. DOI: 10.1109/PST52912.2021.9647800
Bošnjak, L., and Brumen, B. (2019). Rejecting the death of passwords: Advice for the future. Computer Science and Information Systems, 16(1), 313-332. DOI: 10.2298/CSIS180328016B
Bošnjak, L., Sreš, J., and Brumen, B. (haha). Brute-force and dictionary attack on hashed real-world passwords. In 41st International Convention on Information and Communication Technology (pp. 1161-1166). New York: IEEE. DOI: 10.23919/MIPRO.2018.8400211
Carvalho, E. A., Reis, T., and Alves, F. J. (2017). Ensino de noções básicas de segurança da informação nas escolas brasileiras. In Workshop de Informática na Escola (WIE) (pp. 765-774). Porto Alegre: Sociedade Brasileira de Computação. DOI: 10.5753/cbie.wie.2017.765
Chigada, J., and Madzinga, R. (2021). Cyberattacks and threats during COVID-19: A systematic literature review. South African Journal of Information Management, 23(1), a1277. DOI: 10.4102/sajim.v23i1.1277
Cianca, B. C., Panosso, M. G., and Kienen, N. (2020). Programação de Condições para Desenvolvimento de Comportamentos: Caracterização da produção científica brasileira de 1998-2017. Perspectivas em Análise do Comportamento, 11(2), 114–136. DOI: 10.18761/PAC.2020.v11.n2.01
Farias, O. L. F., Medeiros, A. A. N., Rocha, L. S., Medeiros, F. D., Nóbrega, C. E., Burlamaqui, F. M. A., and Madeira, G. A. C. (2019). Self protect: Um jogo para auxílio no ensino de conceitos relacionados a segurança na internet para crianças e adolescentes. In Workshop de Informática na Escola (pp. 246-255). Porto Alegre: SBC. DOI: 10.5753/cbie.wie.2019.246
Feldmann, A. (2021). A year in lockdown: How the waves of COVID-19 impact internet traffic. Communications of the ACM, 64(7), 101-108. DOI: 10.1145/3465212
Glory, Z. F., Aftab, U. A., Tremblay-Savard, O., and Mohammed, N. (2019). Strong password generation based on user inputs. In IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON) (pp. 416-423). New York: IEEE. DOI: 10.1109/IEMCON.2019.8936178
Groening, C., and Binnewies, C. (2019). “Achievement unlocked!”: The impact of digital achievements as a gamification element on motivation and performance. Computers in Human Behavior, 97, 151-166. DOI: 10.1016/j.chb.2019.02.026
Han, W., Xu, M., Zhang, J., Wang, C., Zhang, K., and Wang, X. S. (2021). TransPCFG: Transferring the grammars from short passwords to guess long passwords effectively. IEEE Transactions on Information Forensics and Security, 16, 451-465. [link]
Haydu, V. B., Omote, L. C. F., Vicente, P., Ággio, N. M., and De Paula, J. B. C. (2009). Efeitos do tamanho da classe na manutenção de relações de equivalência em um delineamento intragrupo. Interação em Psicologia, 13, 179-193.
Hejlsberg, A., and Microsoft. (2012). TypeScript. Disponível em: [link]. Acesso em: 23 de novembro de 2023.
Ji, S., Yang, S., Hu, X., Han, W., Li, Z., and Beyah, R. (2017). Zero-sum password cracking game: A large-scale empirical study on the crackability, correlation, and security of passwords. IEEE Transactions on Dependable and Secure Computing, 14(5), 550-564. DOI: 10.1109/TDSC.2015.2481884
Kienen, N., Panosso, M. G., Nery, A. G. S., Waku, I., and Carmo, J. S. (2021). Contextualização sobre a programação de condições para desenvolvimento de comportamentos (PCDC): Uma experiência brasileira. Perspectivas em Análise do Comportamento, 12(2), 360-390. DOI: 10.18761/PAC.2021.jul110
Moreira, B. M., and Medeiros, A. C. (2018). Princípios básicos de análise do comportamento. Porto Alegre: Artmed.
Mukherjee, A., Murali, K., Jha, K. S., Ganguly, N., Chatterjee, R., and Mondal, M. (2023). MASCARA: Systematically generating memorable and secure passphrases. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security (pp. 524-538). New York: ACM. DOI: 10.1145/3579856.3582839
Sauro, J., and Lewis, R. J. (2012). Quantifying the user experience: Practical statistics for user research. Waltham: Elsevier.
Shay, R., Komanduri, S., Durity, L. A., Huh, P., Mazurek, L. M., Segreti, M. S., Ur, B., Bauer, L., Christin, N., and Cranor, F. L. (2014). Can long passwords be secure and usable? In CHI 14 Conference on Human Factors in Computing Systems (pp. 2927-2936). Nova Iorque: ACM. DOI: 10.1145/2556288.2557377
Sidman, M. (1995). Coerção e suas implicações. Campinas: Editorial Psy.
Skinner, B. F. (1981). Ciência e comportamento humano. São Paulo: Martins Fontes.
Švábenksý, V., Vykopal, J., and Čelada, P. (2020). What are cybersecurity education papers about? A systematic literature review of SIGCSE and ITiCSE conferences. In 51st ACM Technical Symposium on Computer Science Education (pp. 2-8). New York: ACM. DOI: 10.1145/3328778.3366816
Vlachogianni, P., and Tselios, N. (2023). Perceived usability evaluation of educational technology using the post-study system usability questionnaire (PSSUQ): A systematic review. Sustainability, 15(17). DOI: 10.3390/su151712954
Walke, J., and Facebook. (2013). ReactJS. Disponível em: [link]. Acesso em: 23 de novembro de 2023.
Wells, J., Scheibein, F., Pais, L., Santos, R. N., Dalluege, C., Czakert, P. A., and Berger, R. (2023). A systematic review of the impact of remote working referenced to the concept of work-life flow on physical and psychological health. Workplace Health Saf, 71(11), 507-521. DOI: 10.1177/21650799231176397
Wu, X., Munyendo, W. C., Cosic, E., Flynn, A. G., Legault, O., and Aviv, J. A. (2022). User perceptions of five-word passwords. In Annual Computer Security Applications Conference (pp. 605-618). New York: ACM. DOI: 10.1145/3564625.3567981
Yildirim, M., and Mackie, I. (2019). Encouraging users to improve password security and memorability. International Journal of Information Security, 18(6), 741-759. DOI: 10.1007/s10207-019-00429-y
Abdrabou, Y., Abdelrahman, Y., Khamis, M., and Alt, F. (2021). Think harder! Investigating the effect of password strength on cognitive load during password creation. In Extended Abstracts of the 2021 CHI Conference on Human Factors in Computing Systems (CHI EA ‘21) (pp. 1-7). New York: ACM. DOI: 10.1145/3411763.3451636
Arantes, A. K. L., Mello, E. L., and Domeniconi, C. (2012). Memória. In M. M. C. Hübner and M. B. Moreira (Orgs.), Temas clássicos da psicologia sob a ótica da análise do comportamento (pp. 56-73). Rio de Janeiro: Guanabara Koogan.
Azlan, Z. H. Z., and Junaini, N. S. (2023). Erudite Survivor: Usability testing of a gamification-based mobile app for disaster awareness among children. Journal of Advanced Research in Applied Sciences and Engineering Technology, 31(3), 290-298. DOI: 10.37934/araset.31.3.290298
Azoubel, M. S., and Pergher, N. K. (2017). Levantamento sobre a utilização de jogos na Análise do Comportamento Aplicada. Perspectivas em Análise do Comportamento, 8(2), 215-225. DOI: 10.18761/PAC.2016.014
Bai, S., Hew, F. K., and Huang, B. (2020). Does gamification improve student learning outcome? Evidence from a meta-analysis and synthesis of qualitative data in educational contexts. Educational Research Review, 30, 100322. DOI: 10.1016/j.edurev.2020.100322
Bonk, C., Parish, Z., Thorpe, J., and Salehi-Abari, A. (2021). Long passphrases: Potentials and limits. In 18th International Conference on Privacy, Security and Trust (PST) (pp. 1-7). New York: IEEE. DOI: 10.1109/PST52912.2021.9647800
Bošnjak, L., and Brumen, B. (2019). Rejecting the death of passwords: Advice for the future. Computer Science and Information Systems, 16(1), 313-332. DOI: 10.2298/CSIS180328016B
Bošnjak, L., Sreš, J., and Brumen, B. (haha). Brute-force and dictionary attack on hashed real-world passwords. In 41st International Convention on Information and Communication Technology (pp. 1161-1166). New York: IEEE. DOI: 10.23919/MIPRO.2018.8400211
Carvalho, E. A., Reis, T., and Alves, F. J. (2017). Ensino de noções básicas de segurança da informação nas escolas brasileiras. In Workshop de Informática na Escola (WIE) (pp. 765-774). Porto Alegre: Sociedade Brasileira de Computação. DOI: 10.5753/cbie.wie.2017.765
Chigada, J., and Madzinga, R. (2021). Cyberattacks and threats during COVID-19: A systematic literature review. South African Journal of Information Management, 23(1), a1277. DOI: 10.4102/sajim.v23i1.1277
Cianca, B. C., Panosso, M. G., and Kienen, N. (2020). Programação de Condições para Desenvolvimento de Comportamentos: Caracterização da produção científica brasileira de 1998-2017. Perspectivas em Análise do Comportamento, 11(2), 114–136. DOI: 10.18761/PAC.2020.v11.n2.01
Farias, O. L. F., Medeiros, A. A. N., Rocha, L. S., Medeiros, F. D., Nóbrega, C. E., Burlamaqui, F. M. A., and Madeira, G. A. C. (2019). Self protect: Um jogo para auxílio no ensino de conceitos relacionados a segurança na internet para crianças e adolescentes. In Workshop de Informática na Escola (pp. 246-255). Porto Alegre: SBC. DOI: 10.5753/cbie.wie.2019.246
Feldmann, A. (2021). A year in lockdown: How the waves of COVID-19 impact internet traffic. Communications of the ACM, 64(7), 101-108. DOI: 10.1145/3465212
Glory, Z. F., Aftab, U. A., Tremblay-Savard, O., and Mohammed, N. (2019). Strong password generation based on user inputs. In IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON) (pp. 416-423). New York: IEEE. DOI: 10.1109/IEMCON.2019.8936178
Groening, C., and Binnewies, C. (2019). “Achievement unlocked!”: The impact of digital achievements as a gamification element on motivation and performance. Computers in Human Behavior, 97, 151-166. DOI: 10.1016/j.chb.2019.02.026
Han, W., Xu, M., Zhang, J., Wang, C., Zhang, K., and Wang, X. S. (2021). TransPCFG: Transferring the grammars from short passwords to guess long passwords effectively. IEEE Transactions on Information Forensics and Security, 16, 451-465. [link]
Haydu, V. B., Omote, L. C. F., Vicente, P., Ággio, N. M., and De Paula, J. B. C. (2009). Efeitos do tamanho da classe na manutenção de relações de equivalência em um delineamento intragrupo. Interação em Psicologia, 13, 179-193.
Hejlsberg, A., and Microsoft. (2012). TypeScript. Disponível em: [link]. Acesso em: 23 de novembro de 2023.
Ji, S., Yang, S., Hu, X., Han, W., Li, Z., and Beyah, R. (2017). Zero-sum password cracking game: A large-scale empirical study on the crackability, correlation, and security of passwords. IEEE Transactions on Dependable and Secure Computing, 14(5), 550-564. DOI: 10.1109/TDSC.2015.2481884
Kienen, N., Panosso, M. G., Nery, A. G. S., Waku, I., and Carmo, J. S. (2021). Contextualização sobre a programação de condições para desenvolvimento de comportamentos (PCDC): Uma experiência brasileira. Perspectivas em Análise do Comportamento, 12(2), 360-390. DOI: 10.18761/PAC.2021.jul110
Moreira, B. M., and Medeiros, A. C. (2018). Princípios básicos de análise do comportamento. Porto Alegre: Artmed.
Mukherjee, A., Murali, K., Jha, K. S., Ganguly, N., Chatterjee, R., and Mondal, M. (2023). MASCARA: Systematically generating memorable and secure passphrases. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security (pp. 524-538). New York: ACM. DOI: 10.1145/3579856.3582839
Sauro, J., and Lewis, R. J. (2012). Quantifying the user experience: Practical statistics for user research. Waltham: Elsevier.
Shay, R., Komanduri, S., Durity, L. A., Huh, P., Mazurek, L. M., Segreti, M. S., Ur, B., Bauer, L., Christin, N., and Cranor, F. L. (2014). Can long passwords be secure and usable? In CHI 14 Conference on Human Factors in Computing Systems (pp. 2927-2936). Nova Iorque: ACM. DOI: 10.1145/2556288.2557377
Sidman, M. (1995). Coerção e suas implicações. Campinas: Editorial Psy.
Skinner, B. F. (1981). Ciência e comportamento humano. São Paulo: Martins Fontes.
Švábenksý, V., Vykopal, J., and Čelada, P. (2020). What are cybersecurity education papers about? A systematic literature review of SIGCSE and ITiCSE conferences. In 51st ACM Technical Symposium on Computer Science Education (pp. 2-8). New York: ACM. DOI: 10.1145/3328778.3366816
Vlachogianni, P., and Tselios, N. (2023). Perceived usability evaluation of educational technology using the post-study system usability questionnaire (PSSUQ): A systematic review. Sustainability, 15(17). DOI: 10.3390/su151712954
Walke, J., and Facebook. (2013). ReactJS. Disponível em: [link]. Acesso em: 23 de novembro de 2023.
Wells, J., Scheibein, F., Pais, L., Santos, R. N., Dalluege, C., Czakert, P. A., and Berger, R. (2023). A systematic review of the impact of remote working referenced to the concept of work-life flow on physical and psychological health. Workplace Health Saf, 71(11), 507-521. DOI: 10.1177/21650799231176397
Wu, X., Munyendo, W. C., Cosic, E., Flynn, A. G., Legault, O., and Aviv, J. A. (2022). User perceptions of five-word passwords. In Annual Computer Security Applications Conference (pp. 605-618). New York: ACM. DOI: 10.1145/3564625.3567981
Yildirim, M., and Mackie, I. (2019). Encouraging users to improve password security and memorability. International Journal of Information Security, 18(6), 741-759. DOI: 10.1007/s10207-019-00429-y
Published
2024-09-16
How to Cite
ROMÃO, Hugo Lima; HENKLAIN, Marcelo Henrique Oliveira; LOBO, Felipe Leite; FEITOSA, Eduardo Luzeiro.
Building and Testing a gamified app for generating strong and memorable passwords: an exploratory study in cybersecurity. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 256-269.
DOI: https://doi.org/10.5753/sbseg_estendido.2024.243316.
