From Convenience to Risk: NordPass Study Exposes How Top Websites Are Failing Global Online Security

• NordPass’ study finds a flood of weak, inconsistent password rules on top 1,000 global websites
• Only 1% of sites enforce strong, comprehensive password standards including symbols and numbers
• Adoption of modern authentication like passkeys remains extremely low at just 2% of websites
• Experts emphasize shared responsibility and raising awareness to improve online security culture

NordPass, a password manager subdivision of the Lithuanian-born cyber security unicorn Nord Security, released a study that uncovers how weak password standards remain the foundation of a great portion of today’s internet. According to the research, many of the world’s most frequently visited websites are unintentionally promoting poor password practices—not through explicit guidance, but through the absence of meaningful requirements. After examining the top 1,000 global sites, NordPass found that creating and using a flimsy password remains surprisingly easy. Major e-commerce platforms, official government portals, and even industry giants alike often fail to enforce the most basic elements of secure password creation.

The Background of NordPass and Its Research

Nord Security is a global cybersecurity company known for building accessible, user-friendly tools that enhance digital privacy and protection. Its product ecosystem includes solutions such as NordVPN, NordLayer, NordPass, and NordLocker, each addressing a different aspect of online security. Together, these tools form a comprehensive suite designed to secure internet connections, protect sensitive data, and help organizations manage digital risks.

Within this suite, NordPass serves as the dedicated password and credentials manager for both individuals and businesses. It provides encrypted, zero-knowledge storage for passwords, passkeys, and other sensitive information across devices. As part of Nord Security’s broader mission, NordPass focuses on strengthening everyday authentication practices and reducing vulnerabilities caused by weak or reused passwords.

For this study, NordPass researchers examined 1,000 of the world’s most visited websites, selected from Ahrefs’ Top 1000 Most Visited Websites in the World ranking based on estimated organic search traffic in February 2025. This list represents the number of monthly visits each site receives through organic search results. Using that sample, the team reviewed the authentication methods and password requirements implemented by each website. All assessments were conducted within a defined timeframe, with data collected between February 26th and March 6th, 2025, ensuring a consistent snapshot of current security practices.

The Password Paradox and the Cultural Debt

The study showed that password expectations vary wildly across major websites. One platform may insist on a lengthy, highly complex password, while another will still approve something as weak as 123456. This lack of uniformity not only leaves users uncertain about what’s truly secure—it also gradually lowers the overall baseline for online protection. Key findings were:

• 61% of sites require users to set a password, yet none adhere fully to NIST or NordPass-recommended best practices.
• 58% do not mandate special characters, and 42% impose no minimum character count at all.
• 11% offer login forms with absolutely no password rules or restrictions.
• Just 1% of all reviewed websites enforce comprehensive requirements that include length, complexity, uppercase letters, symbols, and numbers.

‘What we’re really seeing is a cultural debt in how the internet was built. Most websites are designed with speed, convenience, and conversion in mind – not long term security. Security checks are often treated as an afterthought in the UX process because they’re perceived as friction. Developers focus on making registration effortless, but in doing so, they also make insecurity effortless. It’s not ignorance or apathy – it’s an industry habit that prioritizes short-term engagement over sustainable safety. We’ve spent decades designing for ease, not resilience. As a result, users have learned that if a six-character password works, it must be ‘secure enough.’ The system shaped the expectation,’ NordPass’ head of product Karolis Arbačiauskas tells ITKeyMedia.

Password Security as a Partnership

The NordPass team firmly believes that password security is a ‘partnership’ between users and online services, hence security doesn’t have to mean frustration. Design nudges like real time strength indicators, minimum length hints, and password creation feedback can drastically change user behavior. If users see a green bar only after adding a symbol or extending a password to 12 characters, they will most likely adapt quickly.

‘Even better is to make the right choice the default: enable password managers, MFA reminders, or passkey options at the signup stage. The goal is not to punish users for weak passwords — it’s to make strong ones feel natural,’ Mr Arbačiauskas adds.

The Promise and Challenge of Modern Authentication

In addition to password rules, the study looked at broader authentication practices—and the findings highlight how slowly new security technologies gain traction across the web:

• 39% of websites offer single sign-on (SSO) options, with Google being the most common provider.
• Only 2% have adopted passkeys, the newer password-free authentication method endorsed by the FIDO Alliance.
• A mere five platforms—bahn.de, cuisineaz.com, fedex.com, interia.pl, and ups.com—fully matched the most rigorous password standards promoted by NordPass, as well as NIST.

Although a handful of websites demonstrate strong security implementations, the majority still place convenience ahead of robust protection.

‘Passkeys are the most promising replacement for passwords we’ve seen in years, but adoption is slow for two reasons: inertia and integration. Many platforms are simply not ready to invest in new authentication flows, especially if their current ones ‘work.’ Others are waiting for stronger ecosystem alignment – consistent support across browsers, operating systems, and devices. From a user perspective, there’s also an education gap. Passwords have been part of digital life for decades, so people instinctively trust what they know. It takes time and clear communication to show that passwordless login can be both simpler and safer,’ Mr Arbačiauskas comments.

Security Culture and Shared Responsibility

Altogether, critical sectors like government and healthcare services performed worst in NordPass’ findings.

‘The underlying reasons are multifaceted and largely systemic. One major issue is the extremely slow modernization cycle: every upgrade must pass through budgeting, procurement, vendor evaluation, and implementation, meaning technologies planned years earlier may already be outdated when deployed. Another challenge is the complexity of interconnected government and healthcare infrastructures, where updating one component can trigger a costly chain reaction—or prove technically impossible. Human factors also play a significant role, as these services cater to users with varying digital skills. Added verification steps or required learning often push convenience ahead of security, whether consciously or due to overloaded support teams,’Olga Voloshyna of the Committee on IT and Cyber Security of the German-Ukrainian Chamber of Industry and Commerce explains.

Here, regulation definitely could take on a stronger role in enforcing password standards and help by setting minimum password and authentication standards.

‘But real security can’t rely on compliance alone — it depends on culture. Every layer of the ecosystem has a role to play: developers, platform owners, and individual users.

We need a shared sense of responsibility. Developers should treat password protection as part of the user experience, not a technical checkbox. Organizations must take data protection as seriously as uptime or revenue. And users themselves have to stay alert by enabling MFA, using password managers, and understanding that safety online is everyone’s job, not someone else’s,’ Mr Arbačiauskas summarizes.

NordPass’ recent study highlights a critical yet often overlooked vulnerability in the digital landscape: inconsistent and weak password practices across the world’s most popular online services. By revealing how major platforms unintentionally normalize poor security habits, the research underscores the urgent need for stronger standards, better design, and wider adoption of modern authentication methods. Raising awareness through such findings is a significant step toward empowering both organizations and users to take shared responsibility for online safety and to build a more secure internet for everyone.