- Weak Password Rules Breed Insecure Habits on the World's Major Websites
- Mission-critical industries continue to rely on outdated requirements when handling sensitive user data.
- Automated attacks exploit insecure credentials faster than websites can adapt.
New research has found that many users struggle to create strong passwords across multiple accounts because the wider digital ecosystem rarely nudges them to make secure choices.
Report from NordPass In a study of the world's 1,000 most visited websites today, we found that most platforms still allow short, predictable passwords, creating an environment where weak habits become the norm over time.
Poorly enforced policies on large websites shape user behavior long before attackers exploit these gaps, and current standards do not reflect modern security realities.
Weak enforcement in critical industries
“The Internet teaches us how to log in, and for decades it has taught us the wrong lessons. If a site accepts 'password 123,' users learn that that's enough, and it's not,” says Karolis Arbachauskas, head of product at NordPass.
The report shows there are major inconsistencies in how websites approach password protection, with sectors handling sensitive information often performing the worst.
Government, healthcare, and food industry sites showed some of the weakest policy requirements, even though these industries handle high-risk data.
Unfortunately, these platforms sometimes focus on ease of customization, especially those that promote free website design or simplified customization models.
NordPass reports that 58% of websites tested allow passwords without special characters, 42% do not set a minimum length, and 11% do not impose any restrictions.
Only 1% meets best practice expectations, requiring longer and more complex combinations that use a variety of characters and case sensitivity.
This means that many platforms have outdated credential policies that do not keep up with the pace of threat development.
The analysis also notes that authentication technologies continue to be unevenly applied across the web, creating further inconsistencies in user security.
Although 39% of websites support single sign-on, only a very small number of them have implemented access keys, even though they are more durable and user-friendly than traditional passwords.
“Security should be a partnership. Websites can create safer habits by guiding users through better design, such as clear rules, visual indicators, or even modern authentication such as passwords,” continues Arbachauskas.
NordPass identified just five websites that met the strictest criteria defined by recognized standards, demonstrating how secure design principles have been slow to spread even among high-traffic platforms, with limited adoption of best practices contributing to a fragmented security landscape.
The report warns that weak enforcement is making users more vulnerable, while automated attacks are becoming faster and more accessible.
Inconsistent requirements create attack opportunities that can be easily exploited by artificial intelligence tools.
In addition, the use of simplified publishing systems, including those based on artificial intelligence. website buildermay weaken compliance with the policy if security checks are lost.
These weaknesses can extend beyond individuals to companies, industries and governments when poor passwords are reused across multiple systems.
Thus, strengthening digital hygiene requires more than just user awareness. This requires structural changes from the platforms that set the rules.
To compensate for weak enforcement, users are increasingly relying on tools such as password manager to create secure credentials.
“Careless passwords didn't come out of nowhere. When websites stop requiring strong credentials, users stop creating them. In fact, we're seeing a cultural shift among both Internet users and Internet developers,” says Arbachiauskas.
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
