Building, breaking, and building again¶
These three games are for a table and some concentrated attention. They are less about movement and more about making, solving, and defending: building a strong passphrase out of rolled dice, constructing a layered defence against a Hacker, decrypting a message before the clock runs out.
They tend to work well with smaller groups and suit players who like puzzles. Most of them have a cooperative element, which means losing together is part of the learning. The most useful question to ask at the end is not “why did we lose?” but “how would we set up differently next time?”
Password Potting Shed¶
Gather paper, coloured pens, and a pair of dice. Before the game, write out a simple word list together: one word for each number you can roll, or pair of numbers if you want more variety. Roll the dice five times. Each roll gives you a word. Write your five words in order.
Now here is the real challenge: create a story or a drawing that links the five words together in a sequence you can remember. It does not have to make sense. It just has to stick. When everyone is ready, put the cards away and see who can recite their passphrase from memory first after a few minutes have passed.
The game makes something visible that is genuinely surprising to most people. A five-word passphrase generated by dice is both cryptographically stronger than a short password full of symbols, and considerably easier to remember, because you can hang a story on it. A password like “P@ssw0rd!” is short, hard to remember precisely, and not as strong as it looks. Five words connected by a ridiculous little story stick much more readily.
The method used in the game is called Diceware and it is a real approach to generating secure passphrases. You can take it straight out of the game and use it for your actual passwords: look up Diceware word lists online, roll physical dice, and generate passphrases you will remember without writing them down. The game version uses shorter lists to keep it playable, but the principle is identical.
Works well across a wide age range. Young children will need simpler word lists; the storytelling and drawing step tends to produce particularly imaginative results from them. Adults often find this one the most practically useful game in the whole collection.
Two-Factor Fortress¶
Set up a row of tokens representing accounts. One player is the Hacker, whose goal is to capture as many tokens as possible before the time runs out. The other players are Account Owners, defending their tokens using cards that represent passwords and 2FA codes. The crucial rule is this: the Hacker cannot capture a token unless they can play both a matching password card and a matching 2FA code card at the same time. Having one is not enough.
The cooperative element is what makes the game work. One Account Owner might hold the password cards; another holds the 2FA codes. To defend effectively, they have to communicate and coordinate, because the Hacker is watching for the moment when both elements are left unguarded at the same time. The game recreates the logic of two-factor authentication through its rules rather than through explanation.
What players tend to discover is that having two separate things to protect changes the nature of the attack considerably. A Hacker who manages to steal one password has got hold of one thing. A Hacker who needs both the password and the 2FA code, which is typically sent to a separate device or generated by a separate app, faces a much harder problem. Two-factor authentication is not a convenience feature. It is a structural change in what an attacker needs to succeed.
Works well from age ten upwards. The cooperative element makes it particularly good for groups where some players are less technically confident: you can defend very effectively in this game simply by holding onto your 2FA code cards and refusing to let go of them.
Encryption Escape Room¶
One player prepares a set of coded messages using simple substitution ciphers, where each letter is replaced by a symbol or a different letter according to a hidden key. The team has a time limit to work through each puzzle in sequence. Each decoded message contains either the clue to the next puzzle or a fragment of a final message. The team wins if they can read the complete message before the clock runs out.
The pleasure of cracking a cipher under time pressure is its own reward, and it does not require any technical knowledge to enjoy. But the game also produces something else, quietly. You held a message that was opaque: a sequence of symbols that meant nothing. You found the key and applied it, and the message became legible. Encryption is exactly that transformation. It is not a property that data simply has; it is a process that you apply, and the key is what makes the difference between a locked message and an open one.
Good escape rooms scale with the ambition of the puzzles. Simple substitution ciphers are accessible from age ten or eleven; adding pattern-recognition challenges, multi-step decryptions, or deliberate red herrings makes the experience considerably harder for older players and adults. The time limit can be adjusted freely. For an extra layer, one player can take the role of Interceptor, trying to crack the same puzzles simultaneously and racing the team to the final message.
The game works particularly well as a group activity because the puzzles benefit from different people noticing different things. Someone will spot a pattern that everyone else walked past, and that moment of “wait, look at this” is one of the best things a game can produce.