Minimum password requirements met: Top 1,000 most-visited websites
Which came first, the weak passwords or the lax security requirements?
Passwords are our personal responsibility, but that doesn’t mean the way we use them isn’t shaped by our surroundings. The websites we visit dictate the passwords we need, and the criteria they enforce aren’t always security focused.
Some sites don’t enforce robust password combinations, while others let us through with weak credentials. Over time, we start prioritizing short-term convenience and settle for easy-to-remember combinations that satisfy basic password policy requirements.
NordPass analyzed the 1,000 most visited websites in the world and learned that most don’t enforce even the simplest password requirements. This poses the question: Is password carelessness shaped by the system itself?
Researched industries
We analyzed the top 1,000 websites across 24 industries — from shopping and news to finance and government.
Why the website research matters
For several years now, our research into the most commonly used passwords has shown a clear pattern of people opting for weaker, more vulnerable credentials. However, we’ve never taken the time to pause and ask ourselves — what if the users never had the chance to pick better passwords in the first place?
Following this thread, we turned our focus further from the user and towards the websites themselves and decided to analyze how the world’s top 1,000 most visited sites handle account security and minimal password requirements.
Research breakdown and methodology
We selected 1,000 of the most visited websites based on the Ahrefs “Top 1,000 most visited websites in the world” organic search traffic estimates between February 26 and March 6, 2025. The data used in our research concerned the estimated number of monthly visits a website gets from organic search.
Once we’d gathered the full list, we analyzed each website to determine its security requirements. We checked what authentication methods and minimum password requirements the websites had in place at the time of the research. Our criteria for a strong password included password length, specific character use, and case sensitivity — the same requirements we follow to generate strong login credentials with the NordPass Password Generator.
What were the key findings?
58% of the websites don’t require special characters for their passwords.
This means the supported passwords may contain only letters and numbers, making them more susceptible to brute-force attacks.
42% don’t enforce any minimum password length requirements.
This allows users to create shorter, easier-to-remember passwords that can be cracked faster than longer combinations.
Only 1%, or five websites, met all the best-practice criteria.
That means they enforce a minimum password length, require the use of special characters, and support case sensitivity for letters.
Government, health, and food and drinks sectors rank the lowest in password policy strength.
This can create cybersecurity vulnerabilities that endanger login credentials and sensitive personal information.
Sector deep dive
Some sectors have proven more lax about password use than others. Industry by industry, take a closer look at the percentage of websites that have established login security requirements for their users.
Findings
How can websites improve their security?
Weak password requirements lead to poor credential use habits. What can websites change to keep their users safe and happy?
Enforce stricter password requirements
Leaving it at just “Create a password” is not enough. Websites should set specific requirements for credential use. Based on best practices, a strong password should be at least eight characters long and contain a complex combination of uppercase and lowercase letters, numbers, and special symbols. The longer and more complex the password, the harder it is for criminals to steal users’ accounts.
Guide users with strength indicators
Users need to know exactly how strong a password should be. Otherwise, they might try setting “abcdefghijkl” as their 12-character password to get it over with and save time. Websites should have automatic checkmarks and strength indicators to let users know if their chosen password combination is complex or needs some improvements, like extra numbers or capital letters.
Embrace passkeys and password managers
We know — managing multiple complex passwords for a thousand accounts gets overwhelming. Instead, websites can make it easier for users by supporting passwordless account authentication. With a password manager like NordPass, they can create, store, and manage authentication on websites, apps, and other digital services they enjoy.
Is it time to say goodbye to passwords?
Passkeys are the answer
Backed by the FIDO Alliance, passkeys are the modern solution to the password problem. At NordPass, we’re one of the early adopters of passkey technology, allowing our users to enjoy a secure and smooth passwordless online experience.
When websites don’t protect you, protect yourself
Take your online security into your own hands. Use the NordPass password manager to generate and store truly strong and complex passwords and passphrases that adhere to the highest security standards.
Users vs. websites: Comparing the findings
Our earlier studies into common password use noted only bad user habits. Now, we can see that websites themselves often fail to enforce even basic standards, setting users up for vulnerabilities from the very first step.
Top 200 passwords
Throughout the years of analyzing password usage trends, we’ve concluded that weak passwords are the users’ fault. Users create easy-to-remember passwords that they reuse for multiple accounts to save time — and those passwords can take mere seconds for cybercriminals to crack.
Top 1,000 websites
After taking a closer look at the most commonly visited websites, it’s clear that the bad password habits don’t just recur out of user convenience — in fact, the websites themselves push users to take the easier way out by not enforcing strict password requirements and supporting weak credential use.
Disclaimer: This article, authored and published by Nord Security Inc., provides a comparative overview of website security requirements based on publicly available information collected manually from February 26, 2025, to March 6, 2025. The insights presented reflect our findings and are not endorsements. The information in this article is provided for informational purposes only and should not be considered definitive or permanent. While we strive for accuracy and completeness, Nord Security Inc. makes no guarantees regarding the information's accuracy, completeness, or suitability, does not warrant or represent, and to any period of time, undertake that any mentioned website still has these requirements, or is anyhow secure. Nord Security Inc. disclaims any and all liability for any errors, omissions, actions taken, or any other outcomes based on this information. The inclusion of these websites does not imply affiliation or endorsement, and all trademarks mentioned are the property of their respective owners.