SAN FRANCISCO — A government policy that forbade the export of products with strong encryption in the 1990s has years later left users of devices like Android and Apple phones vulnerable to hackers when they visit one-third of all websites, including whitehouse.gov and nsa.gov.

Researchers last month discovered millions of devices and websites were using an outdated encryption key to secure their communications. The weak key resulted from a Clinton administration mandate that software and hardware makers use weak cryptography in products exported outside the United States.

Once those restrictions were relaxed in the late 1990s, many technology makers abandoned the weak cryptography. But researchers said this week that the old keys were included in the code that is still being used in a variety of modern devices and websites.

The discovery of the old vulnerability comes as officials in the United States and Britain press the technology industry to create so-called back doors for law enforcement agencies into the new and hard-to-crack encryption used by its products. Those back doors, industry officials argue, can just as well be used by hackers to intercept communications and pose an unnecessary risk to customers.