New Study Reveals: The Internet’s Weak Password Rules Exposed
On Monday, November 10th, 2025, NordPass released a new study that exposes a concerning truth about the internet: it is built on weak password rules. The study, conducted by NordPass researchers, analyzed the 1,000 most visited websites globally and found that most websites do not require strong passwords, making it far too easy for users to create weak ones. This not only puts individuals at risk but also has a ripple effect on companies, industries, and governments.
According to Karolis Arbačiauskas, head of product at NordPass, “The internet teaches us how to log in and for decades, it’s been teaching us the wrong lessons. If a site accepts ‘password123’, users learn that’s enough and it’s not. People normalized minimal effort for maximum risk.”
The Password Paradox
The study found that most websites fall short when it comes to basic security. NordPass researchers discovered widespread inconsistency in how platforms handle password protection. Some websites have a few basic requirements, while others have none at all. As a result, users face different expectations from one platform to another, which not only confuses them but also lowers the global standard for online safety.
Out of the 1,000 websites analyzed, 61% require a password, but none fully meet NIST or NordPass security standards. 58% do not require special characters, and 42% do not enforce any minimum length. Shockingly, 11% have no password requirements at all. Only 1% of the websites included in the study require all the necessary elements for a strong password: long, complex passwords with uppercase letters, symbols, and numbers.
Worst Performing Sectors
Sectors that handle sensitive data, such as government, health, and food & drink, performed the worst in terms of password enforcement. “It’s not just about telling users to ‘be more careful’,” says Arbačiauskas. “Security needs to be a partnership. Websites can shape safer habits by guiding users through better design, like clear rules, visual indicators, or even modern authentication like passkeys.”
A Closer Look at the Digital Landscape
The NordPass study also examined how websites approach authentication overall and found that innovation spreads at a slow pace. Only 39% of sites allow users to sign in with single sign-on (SSO), mostly via Google. A mere 2% support passkeys, the modern passwordless technology backed by the FIDO Alliance. Out of the 1,000 websites, only five met the strictest password criteria defined by NordPass and NIST: bahn.de, cuisineaz.com, fedex.com, interia.pl, and ups.com.
While a few websites stand out as examples of strong password enforcement, the majority prioritize convenience over security. “Password carelessness didn’t appear out of nowhere. When websites stop demanding strong credentials, users stop creating them,” Arbačiauskas emphasizes. “What we’re really looking at is a cultural shift in both internet users and internet developers – one we urgently need to reverse.”
Why This Matters
In an era of growing data breaches and automated hacking tools, password quality is no longer a minor detail – it’s a first line of defense. Weak enforcement creates a ripple effect: if even the biggest websites don’t set high standards, smaller ones rarely follow. This not only puts individuals at risk but also has a significant impact on companies, industries, and governments. Cybercriminals exploit this gap, making brute force and credential stuffing attacks easier than ever and putting millions of user accounts at risk across industries.
Methodology
The NordPass study analyzed the Top 1000 Most Visited Websites in the World by Ahrefs, according to organic search traffic estimates from February 2025. The ranking reflects the estimated number of monthly visits each website receives from organic search. Researchers checked what authentication methods and password requirements each website had from February 26th to March 6th, 2025.
About NordPass
NordPass is a password manager for both business and consumer clients. It is powered by the latest technology for utmost security and was developed with affordability, simplicity, and ease of use in mind. NordPass allows users to access passwords securely on desktop, mobile, and browsers, and all passwords are encrypted on the device, ensuring only the user can access them. NordPass was created by the experts behind NordVPN, a leading security and privacy app. For more information, visit nordpass.com.
