Learning Password Best Practices Through In-Task Instruction
This addresses the problem of improving user security practices in password creation for general users, though it is incremental as it builds on existing design approaches.
The paper tackled the problem of users making security decisions without understanding safe behavior by introducing pedagogical friction, a design approach that provides instructional interactions during tasks. In a study with 128 participants on password creation, this intervention led to high rule compliance and behavior-knowledge alignment in follow-up tasks.
Users often make security- and privacy-relevant decisions without a clear understanding of the rules that govern safe behavior. We introduce pedagogical friction, a design approach that inserts brief, instructional interactions at the moment of action. We evaluate this approach in the context of password creation, a familiar task with clear quality criteria. We conducted a randomized study with 128 participants across four interface conditions that varied the depth and interactivity of guidance. We assessed three outcomes: (1) rule compliance in a subsequent password task without guidance, (2) accuracy on survey questions tied to password rules, and (3) behavior-knowledge alignment, which captures whether participants who correctly followed a rule also recognized it on the survey. Across the guided conditions, participants corrected most rule violations in the follow-up task and showed high behavior-knowledge alignment. Survey results suggested clearer advantages for some rule types, especially symbol related questions. These results position pedagogical friction as a lightweight intervention for security- and privacy-critical interfaces.