Summary

"Passwords, Please" is a 3D browser-based puzzle game created for the IT Training department at Indiana University. The purpose of this game is to provide a short, educational experience focused on identifying problematic cyber-security practices commonly found among users, and show players where they are lacking when it comes to utilizing safe security habits.

Development Structure

Developing it much in the same sense as building a sandwich.

• Player starts and has first interaction : bottom bun
• Player acquires safe pass-code from previous interaction and accesses safe : top bun
• All interactions that lead to the top bun act as the meat and condiments that slowly make the entire experience more varied and interesting.

Lessons from Interactions

Basic Password Complexity

• Take away should be: Short passwords can be easier to guess and using easily accessible personal information as basis for a password allows for easy breaches of security.
• Achieved by: Having the password simple and located nearby on an open source. Enforced by a inner monologue that indicates leaving information out in the open made things a lot easier than it should have been.

Two Factor Authentication

• Take away should be: The way this form of security works well if other forms of security are strong as well.
• Achieved by: Showing the structure of 2FA in a non-traditional way. 2FA is essentially a box with valuables inside a locked box and the key can potentially be inside another locked, but separate box. Using dialogue from the player character, it will be reinforced that the "keys" for these locks should be well guarded or else the function of the locks is seemingly redundant.

Security Questions

• Take away should be: These work well when strong questions are picked. If questions use easily accessible public information as answers, they can be breached with just the right amount of poking around.
• Achieved by: Players will have to deal with answering generic security questions to bypass a lock by answering questions with specific passwords that only the creator should know. However the questions will be rather generic and show why choosing questions where the answers can be easily discovered in public settings (like the internet or at home) and makes it easier for this form of security to fail.