At least 42% of the top 1,000 most-visited websites have weak password requirements, according to research published by NordPass on Wednesday.NordPass’ research looked at sites from Ahrefs’ list of the top 1,000 most visited websites based on monthly visits from organic search between Feb. 26 and March 6, 2025. Nearly two-third of these sites (61%) allow users to log in with a password.The study found that only five websites out of the top 1,000 enforced minimum password length, special characters and case sensitivity requirements together, while 58% did not require special characters and 42% did not have minimum password length requirements.“The internet teaches us how to log in and for decades it’s been teaching us the wrong lessons. If a site accepts ‘password123,’ users learn that’s enough and it’s not. People normalized minimal effort for maximum risk,” NordPass Head of Product Karolis Arbaciauskas said in a statement provided to SC Media.The research further found that 11% of websites have no requirements at all for password creation, and just 2% support passkeys as a more secure alternative to passwords. A little more than a third (39%) offered a single sign-on (SSO) option, mostly through Google.The five websites with the strongest password requirements, according to NordPass, were the German national railway company bahn.de, the French language culinary website cuisineaz.com, the American shipping companies fedex.com and ups.com, and the Polish news site interia.pl.Overall, the three industries with the fewest websites enforcing strong passwords were government, health and food and drinks, according to NordPass.The National Institute of Standards and Technology’s (NIST’s) most recent password guidelines for users interacting with government information systems, published in August 2025, requires a minimum password length of 15 characters if passwords are the only authentication factor, or eight characters if used as part of a multi-factor authentication process.The NIST guidance also said commonly used passwords such as dictionary words should be rejected and that users should be provided with guidance for choosing a strong password. NordPass also recommends users be guided with password strength indicators and checkmarks for complexity requirements.However, NIST’s guidance recommended against requiring special characters, while NordPass recommends the use of special characters, along with numbers and capital letters, to improve password complexity.Weak passwords are a persistent problem across the internet, with Comparitech saying in a report published Thursday that the most common passwords, based on an analysis of 2 billion account details leaked on data breach forums, are "123456," "12345678," "123456789," "admin" and "1234."Such passwords can lead to real-world data compromise, as demonstrated by researchers who accessed McDonald’s McHire records by guessing the password "123456" on a back-end account accessible through the McHire website. The account was a test account set up by Paradox.ai, which developed McDonald’s “Olivia” hiring chatbot.“Password carelessness didn’t appear out of nowhere. When websites stop demanding strong credentials, users stop creating them. What we’re really looking at is a cultural shift in both internet users and internet developers — one we urgently need to reverse,” Arbaciauskas stated.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds