- Weak password policies foster insecure habits across large global sites
- Critical industries still rely on outdated requirements while handling sensitive user data
- Automated attacks exploit insecure credentials faster than websites can adapt
Many users struggle to create strong password credentials across multiple accounts because the wider digital ecosystem rarely nudges them towards secure choices, new research has claimed.
A NordPass report examining the thousand most visited global sites online today found that most platforms still allow short and predictable passwords, creating conditions where weak habits become normal over time.
Poorly enforced rules across large websites shape user behavior long before attackers exploit these holes, and current standards do not reflect modern security realities.
Weak enforcement across critical industries
“The Internet teaches us how to log in, and for decades it taught us the wrong lessons. If a site accepts “password123″, users learn that that’s enough, and it’s not,” says Karolis Arbačiauskas, product manager at NordPass.
The report reveals that there are wide inconsistencies in how websites approach password protection, with sectors dealing with sensitive information often performing the worst.
Government, health, and food-related websites showed some of the weakest policy requirements, even though these industries manage high-risk data.
Unfortunately, these platforms sometimes focus on easy onboarding, especially those that promote free website design or simplified setup models.
NordPass reports that 58% of sites tested allow passwords without special characters, and 42% impose no minimum length, while 11% impose no restrictions at all.
Only 1% meet best practice expectations by requiring longer, complex combinations that use character variation and case sensitivity.
This means that many platforms operate with outdated credential policies that do not match the pace of threat evolution.
The analysis also notes that authentication technologies remain unevenly adopted across the web, creating further inconsistencies in user security.
While 39% of websites support single sign-on, only a very small number have implemented access keys, even though they are more robust and user-friendly than traditional passwords.
“Security must be a partnership. Websites can shape safer habits by guiding users through better design like clear rules, visual indicators or even modern authentication like access keys,” continues Arbačiauskas.
NordPass identified just five sites that meet the strictest criteria defined by recognized standards, demonstrating how slowly secure design principles spread even among high-traffic platforms, and the limited adoption of advanced methods contributes to a fragmented security landscape.
The report warns that weak enforcement leaves users more vulnerable at a time when automated attacks are faster and more accessible.
Inconsistent requirements create attack surfaces that AI tools can easily exploit.
Furthermore, reliance on simplistic publishing systems, including those powered by an AI website builder, can weaken policy enforcement when security checks are deprioritized.
These weaknesses can also extend beyond individuals and affect businesses, industries, and governments when low-quality passwords are reused across multiple systems.
Strengthening digital hygiene therefore requires more than user awareness. It requires structural changes from the platforms that set the rules.
To compensate for lax enforcement, users increasingly rely on tools such as a password manager to generate secure credentials.
“Password carelessness didn’t come out of nowhere. When websites stop requiring strong credentials, users stop creating them. What we’re really looking at is a culture shift in both Internet users and Internet developers,” says Arbačiauskas.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
