Most people blame themselves when they fall back on simple passwords, but fresh research shows the habits often form long before a user types anything.
The rules set by the websites shape these choices, and most of the world’s most visited platforms make weak passwords far too easy. NordPass reviewed one thousand high traffic sites, and the findings point toward a system that pushes convenience ahead of basic safety.
The study covered twenty four industries and captured how the top destinations on the internet handle the basics of account protection. The team relied on traffic estimates gathered between late February and early March this year, then checked each site to see what it demands from users when they create a password. The criteria followed the same structure used in the NordPass generator, which looks for length, character variety, and case sensitivity. These checks reveal the minimum the websites expect from their users, and the picture that emerges shows widespread gaps.
A large share of popular platforms still accepts short or predictable credentials. The data shows that fifty eight percent of the tested websites do not ask for any special characters. This leaves passwords built from letters and numbers alone, the kind of combinations that can fall to brute force tools in very little time. Another forty two percent do not set any minimum length, so they leave room for short strings that attackers can test quickly. Eleven percent of sites do not require anything at all. Only one percent meets all the best practice criteria by asking for longer passwords that mix characters and respect case sensitivity.
The weaknesses stretch across sectors. Sites tied to government services, health records, and food related services show some of the lowest scores for policy strength even though they often handle sensitive information. Many of these platforms smooth out sign ups to speed up onboarding, and some rely on simplified website building systems that do not enforce strong checks by default. When the foundational rules start at a low bar, users fall back on easy combinations just to move through the form, and the pattern sticks.
The research also looked at the broader authentication landscape. Support for single sign on appears on thirty nine percent of the websites, mostly through major providers like Google. Passkeys appear on only a small share, around two percent. Five websites meet the strictest standards mirrored from NordPass and NIST. These results show how slowly stronger models move across the web even when the tools already exist.
Weak rules matter because they train people to expect low effort login habits. A site that accepts a simple string teaches users that simple works everywhere. Attackers count on that predictability and use automated tools to sweep across accounts at scale. Newer AI driven systems can test vast numbers of combinations faster than older methods, which makes the gap between strong and weak policies even more significant. Once a password leaks or gets guessed, the damage can spread through any platform where the same combination exists.
The ripple continues inside organizations. Employees carry personal habits into the workplace. If they create weak passwords for common services, they often recycle similar patterns for business accounts. Industries that handle financial data or confidential records feel the strain when attackers exploit these shared weaknesses. Government portals face the same risk. Oversights in one area can spill into many others.
Websites have ways to fix this pattern. Clear rules at the start help shape stronger habits. Asking for length and character variety increases the time it takes to break a password by automated means. Strength indicators help users adjust quickly without confusion. A simple set of visual cues can steer someone away from common strings without pulling them out of the flow of sign up. Passkeys offer another route by removing passwords from the equation and replacing them with cryptographic checks that block guessing attempts.
Until websites catch up, users still hold some control over their own safety. A password generator can help them build stronger combinations even when a site does not demand them. The complex password generator available on Digital Information World offers a straightforward way to craft long and varied credentials. It lets people create passphrases or random strings that resist automated attacks and store them through any manager they trust.
The issue sits at the intersection of user behavior and website design. People respond to the rules that sit in front of them, and for years many sites lowered expectations for the sake of quick onboarding. This shaped a culture where weak combinations feel normal. The new research shows that password carelessness did not emerge by chance. It grew from years of lax enforcement across the biggest platforms online.
Improving digital hygiene will require more than guidance aimed at users. Platforms need to raise their standards and adopt stronger criteria. When the system expects more, people adapt. Until then, the habits will remain uneven, and attackers will continue to exploit the gaps that weaker policies leave behind.
Notes: This post was edited/created using GenAI tools.
Read next: Finally, OpenAI Says ChatGPT Will Listen When People Tell It to Avoid the Long Dash
The rules set by the websites shape these choices, and most of the world’s most visited platforms make weak passwords far too easy. NordPass reviewed one thousand high traffic sites, and the findings point toward a system that pushes convenience ahead of basic safety.
The study covered twenty four industries and captured how the top destinations on the internet handle the basics of account protection. The team relied on traffic estimates gathered between late February and early March this year, then checked each site to see what it demands from users when they create a password. The criteria followed the same structure used in the NordPass generator, which looks for length, character variety, and case sensitivity. These checks reveal the minimum the websites expect from their users, and the picture that emerges shows widespread gaps.
A large share of popular platforms still accepts short or predictable credentials. The data shows that fifty eight percent of the tested websites do not ask for any special characters. This leaves passwords built from letters and numbers alone, the kind of combinations that can fall to brute force tools in very little time. Another forty two percent do not set any minimum length, so they leave room for short strings that attackers can test quickly. Eleven percent of sites do not require anything at all. Only one percent meets all the best practice criteria by asking for longer passwords that mix characters and respect case sensitivity.
The weaknesses stretch across sectors. Sites tied to government services, health records, and food related services show some of the lowest scores for policy strength even though they often handle sensitive information. Many of these platforms smooth out sign ups to speed up onboarding, and some rely on simplified website building systems that do not enforce strong checks by default. When the foundational rules start at a low bar, users fall back on easy combinations just to move through the form, and the pattern sticks.
The research also looked at the broader authentication landscape. Support for single sign on appears on thirty nine percent of the websites, mostly through major providers like Google. Passkeys appear on only a small share, around two percent. Five websites meet the strictest standards mirrored from NordPass and NIST. These results show how slowly stronger models move across the web even when the tools already exist.
Weak rules matter because they train people to expect low effort login habits. A site that accepts a simple string teaches users that simple works everywhere. Attackers count on that predictability and use automated tools to sweep across accounts at scale. Newer AI driven systems can test vast numbers of combinations faster than older methods, which makes the gap between strong and weak policies even more significant. Once a password leaks or gets guessed, the damage can spread through any platform where the same combination exists.
The ripple continues inside organizations. Employees carry personal habits into the workplace. If they create weak passwords for common services, they often recycle similar patterns for business accounts. Industries that handle financial data or confidential records feel the strain when attackers exploit these shared weaknesses. Government portals face the same risk. Oversights in one area can spill into many others.
Websites have ways to fix this pattern. Clear rules at the start help shape stronger habits. Asking for length and character variety increases the time it takes to break a password by automated means. Strength indicators help users adjust quickly without confusion. A simple set of visual cues can steer someone away from common strings without pulling them out of the flow of sign up. Passkeys offer another route by removing passwords from the equation and replacing them with cryptographic checks that block guessing attempts.
Until websites catch up, users still hold some control over their own safety. A password generator can help them build stronger combinations even when a site does not demand them. The complex password generator available on Digital Information World offers a straightforward way to craft long and varied credentials. It lets people create passphrases or random strings that resist automated attacks and store them through any manager they trust.
The issue sits at the intersection of user behavior and website design. People respond to the rules that sit in front of them, and for years many sites lowered expectations for the sake of quick onboarding. This shaped a culture where weak combinations feel normal. The new research shows that password carelessness did not emerge by chance. It grew from years of lax enforcement across the biggest platforms online.
Improving digital hygiene will require more than guidance aimed at users. Platforms need to raise their standards and adopt stronger criteria. When the system expects more, people adapt. Until then, the habits will remain uneven, and attackers will continue to exploit the gaps that weaker policies leave behind.
Notes: This post was edited/created using GenAI tools.
Read next: Finally, OpenAI Says ChatGPT Will Listen When People Tell It to Avoid the Long Dash
