Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

8/10/2020
06:25 PM
100%
0%

Gamifying Password Training Shows Security Benefits

When picking passwords, users often fall back on certain insecure patterns, but good habits can be learned using simple games, a group of researchers find.

Passwords continue to be problematic for many companies because users tend to pick predictable combinations of letters, numbers, and symbols. Using a game for training can reinforce the rules for picking stronger passwords, a group of researchers from the India-based Tata Consulting Services stated in a presentation at the USENIX Symposium on Usable Privacy and Security on August 10 and in a report.

In a study with the company's 4,904 employees, the researchers found that an educational game — called Passworld — improved users' choice of passwords along several measurements, such as creating unique sequences of characters without duplicates or repeating patterns. The game required users to find a valuable artifact and then protect it using a strong set of gates, each of which represented a letter, number, or special symbol. 

While the game did not actually try to break the player's password, it did evaluate the user's choices against the list of rules, said Gokul Chettoor Jayakrishnan, a researcher with Tata Consultancy Services and one of the authors of the paper.

"We are not exclusively telling the users that this is a strong password, but at the end of the game, we are seeing whether the users learned the heuristics and produced more diverse passwords at the end," he says.

The game first tested the player's knowledge of the heuristics for strong password creation during a pretest, and then had the user play the game and create a password. Then it distracted the user with minigames, until the game tested the person's recall of the password. Finally, the game tested the player's knowledge of strong passwords. 

While users originally tended to follow similar, insecure practices to create passwords — such as a word followed by a number — after playing the game, the participants increased their password diversity, the paper found. In addition, many fewer employees chose to include blocked terms in their passwords, leading to a 77% reduction in the use of common organizational terms.

"In the beginning, there was a common trend of the users to create similar passwords, because there were rules, such as the password must be a certain length," Jayakrishnan said. "But once they played the game, there was a greater diversity of passwords."

Users' poor choice of passwords, and the penchant to reuse passwords, have been at the heart of many data breaches and network compromises. Smaller companies of less than 25 employees tend to have 14 passwords per employee, while those in larger companies of more than 1,000 employees have only 4 passwords per person, credential management firm LastPass stated in its "2019 Annual Global Password Security" report.

Password strength meters, which give users an interactive metric of a password as they are entering the characters, help to some extent, but researchers have found that some users mistrust the guides because the users have no foundation in the rules for creating strong passwords, the researchers stated in their paper.

For many companies, the solution is to take users' choices out of the equation. Companies are increasingly adopting multifactor authentication (MFA) to help strengthen security that otherwise would rely on employees' password choice. In 2019, 57% of companies had adopted MFA, up from 45% the previous year, according to the LastPass report.

In addition, as password managers have become more common on mobile devices, employees have increasingly adopted the technology. Nearly a quarter of employees used a password manager on their mobile devices, according to LastPass. 

The gamification of everything has not necessarily improved every metric of security. Users still chose to use predictable keyboard patterns, such as "querty," and predictable placement of uppercase letters, such as the beginning or end of a sentence. 

"Some of the heuristics saw a decline, including keyboard patterns and uppercase patterns, which may indicate that they need more training in the game," Jayakrishnan says.

The researchers intend to add modifications to the game to incorporate what they have learned, such as reminding users in real time about the importance of not including common uppercase or keyboard patterns.

Related Content:

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RichardM23501
50%
50%
RichardM23501,
User Rank: Apprentice
9/1/2020 | 1:19:23 PM
Let it go, let it go...!
Great article.

Soon, password usage will be deprecated, like many obsolete technologies. Wtih 2FA, MFA and IDMs becoming mainstream, the concept of paswords is very short lived. 

Looking forward to forgetting many more passwords.
rainajordan
50%
50%
rainajordan,
User Rank: Apprentice
8/26/2020 | 3:53:41 AM
Thanks
Nice Information, Thanks 
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.