Learning Password Best Practices Through In-Task Instruction

TL;DR

This paper introduces pedagogical friction, a design method that improves password creation by providing in-task guidance, leading to better rule compliance and understanding among users.

Contribution

It demonstrates that brief, instructional interactions during password creation enhance user adherence to security rules and understanding, with potential for broader application.

Findings

Participants corrected most password rule violations after guidance.

High behavior-knowledge alignment was observed in guided conditions.

Guidance was especially effective for symbol-related password rules.

Abstract

Users often make security- and privacy-relevant decisions without a clear understanding of the rules that govern safe behavior. We introduce pedagogical friction, a design approach that inserts brief, instructional interactions at the moment of action. We evaluate this approach in the context of password creation, a familiar task with clear quality criteria. We conducted a randomized study with 128 participants across four interface conditions that varied the depth and interactivity of guidance. We assessed three outcomes: (1) rule compliance in a subsequent password task without guidance, (2) accuracy on survey questions tied to password rules, and (3) behavior-knowledge alignment, which captures whether participants who correctly followed a rule also recognized it on the survey. Across the guided conditions, participants corrected most rule violations in the follow-up task and showed high behavior-knowledge alignment. Survey results suggested clearer advantages for some rule types, especially symbol related questions. These results position pedagogical friction as a lightweight intervention for security- and privacy-critical interfaces.