- Weak password rules drive insecure habits on major global websites
- Critical industries still rely on outdated requirements when handling sensitive user data
- Automated attacks exploit insecure credentials faster than websites can adapt
Many users struggle to create strong password credentials across multiple accounts because the broader digital ecosystem rarely pushes them toward secure options, new research claims.
A NordPass report examining the thousand most visited global websites online today found that most platforms still allow short, predictable passwords, creating conditions where weak habits become normal over time.
Misapplied rules on major websites shape user behavior long before attackers exploit those gaps, and current standards do not reflect modern security realities.
Weak application in critical industries
“The Internet teaches us how to log in and for decades it has been teaching us the wrong lessons. If a site accepts ‘password123’, users learn that it is enough and it is not,” says Karolis Arbačiauskas, product manager at NordPass.
The report reveals that there are significant inconsistencies in the way websites approach password protection, with sectors that handle sensitive information often faring the worst.
Government, health, and food-related sites demonstrated some of the weakest policy requirements, even though these industries handle high-risk data.
Unfortunately, these platforms sometimes focus on ease of onboarding, especially those that promote free website design or simplified setup models.
NordPass reports that 58% of the websites analyzed allow passwords without special characters, and 42% do not impose any minimum length, while 11% do not impose any restrictions.
Only 1% meet best practice expectations by requiring longer, more complex combinations that use a variety of characters and are case-sensitive.
This means that many platforms operate with outdated credential policies that fail to keep up with the pace of evolving threats.
The analysis also notes that authentication technologies remain unevenly adopted across the web, creating further inconsistencies in user security.
While 39% of websites support single sign-on, only a very small number have implemented passcodes, even though they are more robust and easier to use than traditional passwords.
“Security should be a partnership. Websites can create more secure habits by guiding users through better designs, such as clear rules, visual indicators, or even modern authentication like passcodes,” Arbačiauskas continues.
NordPass identified only five websites that meet the strictest criteria defined by recognized standards, demonstrating how slowly secure design principles spread, even among high-traffic platforms, and the limited adoption of advanced methods contributes to a fragmented security landscape.
The report warns that poor enforcement makes users more vulnerable at a time when automated attacks are faster and more accessible.
Inconsistent requirements create attack surfaces that can be easily exploited by AI tools.
Additionally, reliance on simplified publishing systems, including those powered by an AI-powered website builder, can weaken policy enforcement when security controls are deprioritized.
These weaknesses can also extend beyond individuals and affect businesses, industries, and governments when low-quality passwords are reused across multiple systems.
Therefore, strengthening digital hygiene requires more than user awareness. It demands structural changes by the platforms that set the rules.
To compensate for lax enforcement, users are increasingly relying on tools like a password manager to generate secure credentials.
“Password sloppiness didn’t come out of nowhere. When websites stop requiring strong credentials, users stop creating them. What we’re really seeing is a cultural shift in both Internet users and Internet developers,” says Arbačiauskas.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
