- A new NordPass study found most top websites still allow weak passwords.
- Government, health, and food industries perform worst in enforcing secure credentials.
- Only 1% of platforms meet strong password standards.
- Experts urge websites to adopt better rules and promote secure habits.
Many people struggle to create strong passwords for their online accounts, but a new study says the blame doesn’t rest solely with users. The real problem lies with websites that continue to accept weak credentials and outdated security rules.
Password Rules That Fail to Protect Users
According to new research from NordPass, most of the world’s most-visited websites are still failing to enforce proper password security. Out of one thousand popular sites examined, a large number still allow users to set simple passwords that are easy to guess.
The study found that 58 percent of websites allow passwords without any special characters. Forty-two percent have no minimum length requirement, and 11 percent don’t have any password restrictions at all.
Only 1 percent of sites meet modern security standards by requiring complex, longer passwords that mix uppercase, lowercase, numbers, and symbols.
Experts say these poor standards make users vulnerable before hackers even get involved. Weak enforcement teaches bad habits that carry across the internet. When a site accepts “password123,” users assume it’s good enough, even though it’s one of the easiest passwords to crack.
Sensitive Industries Still Lag Behind
Surprisingly, the study shows that sectors handling high-risk data perform the worst. Government, healthcare, and food industry websites are among those with the weakest password policies. These platforms often prioritize easy sign-up experiences or use simplified website builders that overlook advanced security checks.
Karolis Arbačiauskas, head of product at NordPass, explained that the internet has been teaching people the wrong lessons for decades. “If a site accepts weak passwords, users learn that’s enough—and it’s not,” he said.
The report suggests that while user awareness is important, true digital safety depends on structural changes from the platforms themselves.
Outdated Systems Leave Doors Open
The NordPass analysis highlights that many websites are running on old password standards that no longer match the pace of modern threats. Automated attacks have become faster and smarter, often exploiting these weaknesses long before developers react.
Authentication technologies, which could make a big difference, remain unevenly adopted. About 39 percent of websites now offer single sign-on features. However, only a few have introduced passkeys—a more secure and user-friendly method that eliminates the need for passwords altogether.
This lack of consistency creates a fragmented security environment. Even users who try to maintain strong passwords face risk when one weak platform becomes the point of entry for attackers.
Cultural Habits That Reinforce Weakness
The study reveals that password carelessness is not just a personal failing—it’s cultural. When websites stop requiring strong passwords, users naturally stop creating them. Over time, this shapes behavior across the digital landscape.
Arbačiauskas said security should be a partnership between users and platforms. Websites can encourage safer practices by using clear rules, visible password strength meters, and secure design principles.
NordPass found that only five of the thousand websites studied met the strictest password security criteria recognized by global standards. That means even some of the biggest and most trusted platforms are still far from ideal.
Password Managers Offer a Safety Net
Because websites often fail to guide users toward secure practices, many people now rely on password managers. These tools create and store strong credentials automatically, reducing the risk of weak or reused passwords.
Still, experts warn that better habits alone cannot fix a broken system. As long as major websites continue to use outdated password policies, users will remain at risk.
Simplified publishing systems, especially those powered by AI website builders, may also contribute to weaker enforcement. Developers often focus on ease of use or quick deployment instead of robust security testing.
The study concludes that password protection must evolve alongside technology. Strengthening digital hygiene requires consistent, strong rules across industries, and a shift in how both developers and users think about online safety.
Follow TechBSB For More Updates
