Using Gamification and Fear Appeal Instead of Password Strength Meters to Increase Password Entropy

Open access


It is very common for users to create weak passwords. Currently, the majority of websites deploy password strength meters to provide timely feedback. These meters are in wide use and their effects on the security of passwords have been relatively well studied. In this paper another type of feedback is studied: a gamified approach supported by fear appeal. In this approach, users are encouraged to make passwords stronger through the use of visual and textual stories. This approach is supported by data-driven suggestions about how to improve password security as well as by fear appeal. To prove the effectiveness of this gamified password creation process, an experiment was performed in which users changed their passwords in two ways: without any feed-back, and with gamified feedback with fear appeal. To support the initial findings a questionnaire was completed by participants at the end of research.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Bishop M. Klein D. V. Improving system security via proactive password checking ‘Computers & Security’ 1995 14(3) pp. 233–249.

  • [2] Bonneau J. Herley C. Oorschot P. C. van Stajano F. Passwords and the evolution of imperfect authentication ‘Communications of the ACM’ 2015 58(7) pp. 78–87.

  • [3] Bonneau J. The science of guessing: analyzing an anonymized corpus of 70 million passwords Security and Privacy (SP) IEEE Symposium 2012 pp. 538–552.

  • [4] Carné de Carnavalet de X. Mohammad M. From Very Weak to Very Strong: Analyzing Password-Strength Meters 2014 Conference ‘Network and Distributed System Security Symposium’ DOI: 10.14722/ndss.2014.23268 10.14722/ndss.2014.23268.

  • [5] Das A. Bonneau J. Caesar M. Borisov N. Wang X. The tangled web of password reuse Symposium on Network and Distributed System Security 2014 Vol. 14 pp. 23–26.

  • [6] Dell’Amico M. Michiardi P. Roudier Y. Password strength: An empirical analysis Proceedings IEEE INFOCOM 2010 pp. 1–9.

  • [7] Deterding S. Dixon D. Khaled R. Nacke L. From game design elements to gamefulness: defining gamification Proceedings of the 15th International Academic MindTrek Conference ‘Envisioning future media environments’ 2011 pp. 9–15.

  • [8] Deterding S. Sicart M. Nacke L. O’Hara K. Dixon D. Gamification. using game-design elements in non-gaming contexts CHI’11 — Extended abstracts on human factors in computing systems 2011 pp. 2425–2428.

  • [9] Egelman S. Sotirakopoulos A. Muslukhov I. Beznosov K. Herley C. Does my password go up to eleven? The impact of password meters on password selection Proceedings of the SIGCHI Conference on Human Factors in Computing Systems 2013 pp. 2379–2388.

  • [10] Furnell S. An assessment of website password practices ‘Computers & Security’ 2007 Vol. 26(7–8) pp. 445–451.

  • [11] Hamari J. Koivisto J. Sarsa H. Does gamification work? A literature review of empirical studies on gamification IEEE System Sciences (HICSS) 47th Hawaii International Conference 2014 pp. 3025–3034.

  • [12] Huang X. Xiang Y. Bertino E. Zhou J. Xu L. Robust multifactor authentication for fragile communications IEEE ‘Transactions on Dependable and Secure Computing’ 2014 Vol. 11 No. 6 pp. 568–581 DOI: 10.1109/TDSC.2013.2297110.

  • [13] Johnston A. C. Warkentin M. Fear appeals and information security behaviors: an empirical study ‘MIS Quarterly’ 2010 pp. 549–566.

  • [14] Kelley P. G. Komanduri S. Mazurek M. L. Shay R. Vidas T. Bauer L. Lopez J. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Security and Privacy (SP) IEEE Symposium 2012 pp. 523–537.

  • [15] Melicher W. Ur B. Segreti S. M. Komanduri S. Bauer L. Christin N. Cranor L. F. Fast Lean and Accurate: Modeling Password Guessability Using Neural Networks USENIX Security Symposium 2016 pp. 175–191.

  • [16] Naiakshina A. Danilova A. Tiefenau C. Herzog M. Dechand S. Smith M. Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study ACM Proceedings of the SIGSAC Conference on Computer and Communications Security 2017 pp. 311–328.

  • [17] Rodwald P. Biernacik B. Password protection in IT systems ‘Bulletin of the Military University of Technology’ 2018 Vol. 67 pp. 73–92 DOI: 10.5604/01.3001.0011.8036.

  • [18] Seitz T. Hussmann H. PASDJO: quantifying password strength perceptions with an online game ACM Proceedings of the 29th Australian Conference on Computer-Human Interaction 2017 pp. 117–125.

  • [19] Shannon C. E. A mathematical theory of communication ‘Bell System Technical Journal’ 1948 Vol. 27 pp. 379–423 623–656.

  • [20] Shannon C. E. Prediction and Entropy of Printed English ‘Bell System Technical Journal’ 1951 Vol. 30 No. 1 pp. 50–64.

  • [21] Sotirakopoulos A. Influencing User Password Choice Through Peer Pressure master thesis The University of British Columbia Vancouver 2011.

  • [22] Stobert E. Biddle R. The password life cycle: user behavior in managing passwords Proceedings SOUPS 2014.

  • [23] Ur B. Alfieri F. Aung M. Bauer L. Christin N. Colnago J. Johnson N. Design and evaluation of a data-driven password meter Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems 2017 pp. 3775–3786.

  • [24] Ur B. Kelley P. G. Komanduri S. Lee J. Maass M. Mazurek M. L. Christin N. How does your password measure up? The effect of strength meters on password creation USENIX Security Symposium 2012 pp. 65–80.

  • [25] Vance A. Eargle D. Ouimet K. Straub D. Enhancing password security through interactive fear appeals: A web-based field experiment IEEE System Sciences (HICSS) 46th Hawaii International Conference 2013 pp. 2988–2997.

  • [26] Weir M. Aggarwal S. Collins M. Stern H. Testing metrics for password creation policies by attacking large sets of revealed passwords Proceedings of the 17th ACM conference on Computer and communications security 2010 pp. 162–175.

  • [27] Zezschwitz E. von Luca A. de Hussmann H. Survival of the shortest: A retrospective analysis of influencing factors on password composition ‘Proceedings of the IFIP Conference on Human-Computer Interaction’ 2013 Publ. Springer Berlin Heidelberg 2013 pp. 460–467.

  • [28] Zhang-Kennedy L. Chiasson S. Biddle R. Password advice shouldn’t be boring: Visualizing password guessing attacks IEEE ‘eCrime Researchers Summit’ 2013 pp. 1–11.

  • [29] Zhao Z. Ahn G.-J. Hu H. Picture gesture authentication: Empirical analysis automated attacks and scheme evaluation ACM ‘Transactions on Information and System Security (TISSEC)’ 2015 Vol. 17 No. 4 pp. 1–37.

  • [30] Zhu B. Yan J. Bao G. Mao M. Xu N. Captcha as graphical passwords–a new security primitive based on hard AI problems IEEE ‘Transactions on Information Forensics and Security’ 2014 Vol. 9 No. 6 pp. 891–904 DOI: 10.1109/TIFS.2014.2312547.

  • [31] Castelluccia C. Dürmuth M. Perito D. Adaptive Password-Strength Meters from Markov Models Symposium on Network and Distributed System Security 2012 [online] [access 02.11.2018].

  • [32] Habib H. Colnago J. Melicher W. Ur B. Segreti S. Bauer L. Cranor L. Password creation in the presence of blacklists Proceedings USEC 2017 [online] [access 02.11.2018].

  • [33] Reilly M. Google Has a Plan to Kill Off Passwords [online] [access 02.11.2018].

  • [34] Thomas K. Li F. Zand A. Barrett J. Ranieri J. Invernizzi L. Markov Y. Comanescu O. Eranti V. Moscicki A. Margolis D. Paxson V. Bursztein E. Data Breaches Phishing or Malware? Understanding the Risks of Stolen Credentials 2017 [online] [access 02.11.2018].

  • [35] 2016 Data Security Incident Uber Newsroom [online] [access 02.11.2018].

  • [36] Adobe breach impacted at least 38 million users Krebs on Security [online] [access 02.11.2018].

  • [37] Advanced password recovery Hashcat [online] [access 02.11.2018].

  • [38] AntMiner S9 BITMAIN [online] [access 02.11.2018].

  • [39] Digital Identity Guidelines Authentication and Lifecycle Management NIST Special Publication 800-63B [online] DOI: 10.6028/NIST.SP.800-63-3 [access 02.11.2018].

  • [40] Dropbox hack leads to leaking of 68m user passwords on the internet The Guardian [online] [access 02.11.2018].

  • [41] Hacker tries to sell 427 million stolen myspace passwords for $2800 Vice [online] [access 02.11.2018].

  • [42] Have I been pwned API [online] [access 02.11.2018].

  • [43] LinkedIn lost 167 million account credentials in data breach Fortune [online] [access 02.11.2018].

  • [44] Mobile Push Authentication RSA [online] [access 02.11.2018].

  • [45] Password cracker John the Ripper [online] [access 02.11.2018].

  • [46] Special Publication 800-63-2 Electronic Authentication Guideline NIST [online] DOI: 10.6028/NIST.SP.800-63-2 [access 02.11.2018].

  • [47] Visualizing Data Breaches Center Mast [online] [access 02.11.2018].

  • [48] Web Authentication: An API for accessing Public Key Credentials WC3 [online] [access 02.11.2018].

  • [49] Yahoo hacked 450000 passwords posted online CNN [online] [access 02.11.2018].

Journal information
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 42 42 4
PDF Downloads 43 43 5