Can’t think of a good password for every account? It’s not your fault – you can also blame the websites themselves, a new study says
- Weak password rules engineer unsafe habits across major global websites
- Critical industries still rely on outdated requirements while handling sensitive user data
- Automated attacks exploit insecure credentials faster than websites can adapt
Many users struggle to create strong password credentials across multiple accounts because the broader digital ecosystem rarely pushes them toward secure choices, new research has claimed.
A report from NordPass examining the one thousand most visited global websites online today, found most platforms still allow short and predictable passwords, creating conditions where weak habits become normal over time.
Poorly enforced rules across major websites shape user behavior long before attackers exploit those gaps, and current standards do not reflect modern security realities.
Weak enforcement across critical industries
“The internet teaches us how to log in and for decades, it’s been teaching us the wrong lessons. If a site accepts “password123,” users learn that’s enough and it’s not,” says Karolis Arbačiauskas, head of product at NordPass.
The report reveals there are major inconsistencies in how websites approach password protection, with sectors handling sensitive information often performing the worst.
Government, health, and food-related sites demonstrated some of the weakest policy requirements, even though these industries manage high-risk data.
Unfortunately, these platforms sometimes focus on ease of onboarding, especially those promoting free website design or simplified setup models.
NordPass reports that 58% of tested websites allow passwords without special characters, and 42% impose no minimum length, while 11% impose no restrictions whatsoever.
Only 1% meet best-practice expectations by requiring longer, complex combinations that use character variety and case sensitivity.
This means many platforms operate with dated credential policies that fail to match the pace of evolving threats.
The analysis also notes that authentication technologies remain unevenly adopted across the web, creating further inconsistencies in user security.
While 39% of websites support single sign-on, only a very small number have implemented passkeys, even though they are more resilient and user-friendly than traditional passwords.
“Security needs to be a partnership. Websites can shape safer habits by guiding users through better design like clear rules, visual indicators, or even modern authentication like passkeys,” Arbačiauskas continues.
NordPass identified just five websites that meet the strictest criteria defined by recognized standards, demonstrating how slowly secure design principles spread, even among high-traffic platforms, and the limited adoption of advanced methods contributes to a fragmented security landscape.
The report warns weak enforcement makes users more vulnerable at a time when automated attacks are faster and more accessible.
Inconsistent requirements create attack surfaces that artificial intelligence tools can exploit with ease.
Also, reliance on simplified publishing systems, including those powered by an AI website builder, can weaken policy enforcement when security checks are deprioritized.
These weaknesses can also extend beyond individuals, affecting companies, industries, and governments when low-quality passwords are reused across multiple systems.
Strengthening digital hygiene, therefore, requires more than user awareness. It demands structural changes from the platforms that set the rules.
To compensate for lax enforcement, users rely increasingly on tools such as a password manager to generate secure credentials.
“Password carelessness didn’t appear out of nowhere. When websites stop demanding strong credentials, users stop creating them. What we’re really looking at is a cultural shift in both internet users and internet developers,” says Arbačiauskas.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Weak password rules engineer unsafe habits across major global websites Critical industries still rely on outdated requirements while handling sensitive user data Automated attacks exploit insecure credentials faster than websites can adapt Many users struggle to create strong password credentials across multiple accounts because the broader digital ecosystem rarely pushes…
