Learning Password Best Practices Through In-Task Instruction
Abstract
Users often make security- and privacy-relevant decisions without a clear understanding of the rules that govern safe behavior. We introduce pedagogical friction, a design approach that inserts brief, instructional interactions at the moment of action. We evaluate this approach in the context of password creation, a familiar task with clear quality criteria. We conducted a randomized study with 128 participants across four interface conditions that varied the depth and interactivity of guidance. We assessed three outcomes: (1) rule compliance in a subsequent password task without guidance, (2) accuracy on survey questions tied to password rules, and (3) behavior-knowledge alignment, which captures whether participants who correctly followed a rule also recognized it on the survey. Across the guided conditions, participants corrected most rule violations in the follow-up task and showed high behavior-knowledge alignment. Survey results suggested clearer advantages for some rule types, especially symbol related questions. These results position pedagogical friction as a lightweight intervention for security- and privacy-critical interfaces.
Cite
@article{arxiv.2601.06650,
title = {Learning Password Best Practices Through In-Task Instruction},
author = {Qian Ma and Yingfan Zhou and Shubhang Kaushik and Aamod Joshi and Aditya Majumdar and Noah Apthorpe and Yan Shvartzshnaider and Sarah Rajtmajer and Brett Frischmann},
journal= {arXiv preprint arXiv:2601.06650},
year = {2026}
}
Comments
19 pages, 6 figures, 16 tables