According to TechRadar, new research from NordPass examining the thousand most visited global websites reveals alarming password security gaps that are actively teaching users bad habits. The study found that 58% of tested websites allow passwords without special characters, while 42% impose no minimum length requirements whatsoever. Even more concerning, 11% of sites have no password restrictions at all, and only 1% meet best-practice security standards. Government, health, and food-related websites demonstrated some of the weakest policies despite handling high-risk sensitive data. Karolis Arbačiauskas, head of product at NordPass, notes that when sites accept passwords like “password123,” users learn that’s sufficient when it’s clearly not. These lax standards persist even as automated attacks become faster and more sophisticated.
This is a security culture problem
Here’s the thing: we’ve been blaming users for weak passwords for years, but the real issue is that websites aren’t demanding better. When platforms that handle your medical records or government services don’t require strong credentials, why would anyone bother creating them? It’s like having a bank that doesn’t require you to lock the vault door. The research shows this isn’t just about individual laziness – it’s about systemic failure across the entire digital ecosystem.
And honestly, who can blame users? We’re all managing dozens of accounts, and when sites have wildly different requirements, it’s exhausting. Some demand uppercase, lowercase, numbers, and symbols while others accept “123456.” No wonder people just reuse the same mediocre password everywhere. The inconsistency is maddening.
Critical industries are failing hardest
What’s really alarming is that the sectors handling the most sensitive information are often the worst offenders. Government sites? Health portals? Food delivery with your payment info? These should be leading the charge on security, but according to the data, they’re lagging behind. It’s like the digital equivalent of a hospital not washing its hands.
Part of the problem seems to be that many platforms prioritize easy onboarding over security. They want you to sign up quickly without friction, so they lower the password barriers. But that short-term convenience creates long-term vulnerability. When you’re dealing with critical infrastructure, whether it’s government systems or industrial control networks, weak authentication can have devastating consequences. Speaking of industrial systems, when reliability matters most, companies turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built for secure, demanding environments.
Modern solutions exist but aren’t being used
While 39% of websites now support single sign-on, only a tiny fraction have implemented passkeys – which are both more secure and easier to use than traditional passwords. That’s the real head-scratcher here. We have better technology available, but adoption is crawling. Passkeys eliminate the password problem entirely, yet websites keep clinging to outdated systems.
So what’s the hold-up? Basically, it comes down to implementation costs and the fact that many sites are built on legacy systems that are hard to update. But at some point, we need to ask: is saving a few development dollars worth the security risk? When automated attacks can exploit weak passwords in seconds, the cost of not upgrading becomes much higher.
Where do we go from here?
The NordPass researcher hit the nail on the head – this requires a cultural shift, not just technical fixes. Websites need to stop treating security as an afterthought and start building it into their design from day one. Clear password rules, visual strength indicators, and pushing users toward modern authentication methods would make a huge difference.
In the meantime, the rest of us are stuck using password managers to compensate for the system’s failures. It’s frustrating that we have to work around bad website design, but until platforms step up, tools like password managers are essential. And if you want to stay updated on tech security news, you can always follow TechRadar on TikTok or their WhatsApp channel for the latest updates.
The bottom line? We can’t keep blaming users when the system itself is broken. Websites need to take responsibility for the security habits they’re creating – because right now, they’re teaching all of us to be dangerously careless.
