A groundbreaking study by NordPass has shed light on a startling truth: the internet is built on weak password rules. The research, conducted by NordPass, reveals that a majority of the world’s most popular websites silently encourage bad password habits by not enforcing strong password requirements.
The study, which analyzed the top 1,000 most visited websites globally, found that most websites still make it far too easy to create weak passwords. From shopping platforms to government portals, even the internet’s biggest names often skip the basic principles of creating strong passwords.
According to Karolis Arbačiauskas, head of product at NordPass, “The internet teaches us how to log in and for decades, it’s been teaching us the wrong lessons. If a site accepts ‘password123’, users learn that’s enough and it’s not. People normalized minimal effort for maximum risk.”
The Password Paradox
The research also revealed widespread inconsistency in how websites handle password protection. While some websites enforce a few basic requirements, others have none at all. This inconsistency creates confusion for users and lowers the global standard for online safety.
The study found that 61% of websites require a password, yet none fully meet the security standards set by NIST (National Institute of Standards and Technology) or NordPass. Additionally, 58% of websites do not require special characters and 42% do not enforce any minimum length for passwords. Shockingly, 11% of websites have no password requirements at all.
Sectors that handle sensitive data, such as government, health, and food & drink, performed the worst in terms of password enforcement.
Arbačiauskas explains, “It’s not just about telling users to ‘be more careful’. Security needs to be a partnership. Websites can shape safer habits by guiding users through better design like clear rules, visual indicators, or even modern authentication like passkeys.”
A Closer Look at the Digital Landscape
In addition to analyzing password enforcement, the study also examined how websites approach authentication overall. The results revealed a slow adoption of innovative technologies.
Only 39% of websites allow users to sign in with single sign-on (SSO), mostly through Google. A mere 2% of websites support passkeys, the modern passwordless technology backed by the FIDO Alliance. Only five websites – bahn.de, cuisineaz.com, fedex.com, interia.pl, and ups.com – met the strictest password criteria defined by NordPass and NIST.
While a few websites stand out for their strong password enforcement, the majority still prioritize convenience over security. This cultural shift in both internet users and developers needs to be reversed urgently, according to Arbačiauskas.
Why This Matters
In the era of growing data breaches and automated hacking tools, password quality is no longer a minor detail – it’s a first line of defense. Weak password enforcement not only puts individuals at risk but also has a ripple effect on companies, industries, and governments. Each time a major platform accepts a weak password, it slows down the implementation of the global standard for online security.
Cybercriminals exploit this gap, and with the rise of technologies like artificial intelligence, brute force and credential stuffing attacks have become easier than ever, putting millions of user accounts at risk across industries.
Methodology
For the study, a total of 1,000 of the most visited websites were selected based on the Top 1000 Most Visited Websites in the World by Ahrefs, according to organic search traffic estimates from February 2025. The data reflects the period from February 26 to March 6, 2025.
About NordPass
NordPass is a password manager for both business and consumer clients. Powered by the latest technology for utmost security, NordPass allows users to access passwords securely on desktop, mobile, and browsers. All passwords are encrypted on the device, ensuring that only the user can access them. Developed with affordability, simplicity, and ease of use in mind, NordPass was created by the experts behind NordVPN, the advanced security and privacy app.
For more information, visit nordpass.com.
Derick is an experienced reporter having held multiple senior roles for large publishers across Europe. Specialist subjects include small business and financial emerging markets.