The password is no longer a fortress in and of itself. In a landscape where attackers effortlessly bypass traditional defences, passwords have become more of a revolving door to a greater security fortress – one that needs to be built on resilience, not strength.
For years, password length and complexity were the cornerstones of cyber-hygiene. Today, however, attackers are outmanoeuvring that strategy. FortiGuard Labs recorded over 100 billion stolen credentials traded on underground markets last year – a 42% surge fuelled by massive ‘combo lists’ harvested from past breaches. These lists enable cybercriminals to automate credential-stuffing at scale, meaning a single leaked username and password can unlock numerous corporate accounts in seconds.
Human behaviour compounds the problem. Approximately six in ten people still reuse passwords across personal and professional accounts, while the average user juggles nearly 170 logins. It’s unrealistic to expect anyone to create and remember 170 unique, complex passphrases. Faced with this cognitive overload, weak habits emerge: recycled passwords, sticky notes, and temporary credentials that persist for years.
Attackers exploit this reality, primarily through phishing. Roughly 70% of stolen passwords originate from phishing campaigns, and the rise of AI-generated lures has made fraudulent emails and fake login pages nearly indistinguishable from legitimate ones. South African organisations, particularly small and medium-sized enterprises (SMEs), often lack the resources to filter every suspicious message, making them attractive targets.
Why complexity rules are losing their punch
Most corporate password policies still rely on complexity: a combination of 12 characters, mixed case, numbers, symbols, and mandatory resets. While complexity does slow brute-force cracking, its effectiveness diminishes once credentials are stolen or phished. Complexity increases the effort required for a direct attack, but it’s futile against attackers who purchase valid logins on the darknet.
Four priorities for South African defenders
- Make Multi-Factor Authentication (MFA) mandatory, everywhere. Industry studies indicate that MFA blocks over 99% of automated credential abuse. However, adoption across Africa remains around 50% and is often lower among SMEs. An organisation’s security is only as robust as its weakest privileged account. Therefore, every administrator console, VPN, and SaaS dashboard must be protected by an additional factor.
- Accelerate the shift to passwordless access. FIDO2 hardware keys, mobile passkeys, and platform-based biometrics cannot be replayed or phished. Organisations that pilot password-free logins typically experience a reduction in help desk calls and fewer account takeover alerts. These benefits should encourage broader adoption in South African organisations.
- Deploy enterprise-grade password managers. While passwordless solutions mature, most businesses operate in a hybrid environment. Password managers generate high-entropy passwords, securely autofill them, and audit reuse, while providing the governance logs increasingly required by regulators.
- Integrate identity intelligence into a broader security fabric. Fortinet’s Continuous Threat Exposure Management (CTEM) approach correlates leaked-credential intelligence with network telemetry. This enables automated credential resets when an employee’s email address appears on a combo list, preventing criminals from exploiting those credentials. Combined with AI-driven phishing protection, this approach minimises opportunities for attackers.
Don’t overlook the human firewall
Technology alone cannot address a behavioural challenge. Fortinet’s recent research reveals that 70% of South African organisations lack basic cyber-awareness training. Regular simulations that train staff to identify spoofed login pages and report suspicious messages are a cost-effective, high-impact defence layer. Leadership must champion these programmes and mitigate security fatigue by ensuring policies and training are perceived as empowering rather than punitive.
Resilience and resistance
Passwords will remain part of the authentication landscape for the foreseeable future, but their role is evolving. Attackers understand that breaching identity is cheaper and faster than exploiting zero-day vulnerabilities, and the darknet’s thriving credential economy provides sophisticated tools to even the least skilled criminals. South African businesses that adopt ubiquitous MFA, passwordless pilots, robust vaulting, and continuous exposure management will make that economy less profitable.
Currently, with lower barriers to entry for aspiring cybercriminals, the critical question is no longer “Is my password strong enough?” but “Is my identity architecture resilient enough to withstand inevitable credential compromise?”
Strength lies not in a clever string of characters but in layered, adaptive controls that assume any single factor can and will fail. That is the mindset that keeps businesses, and their customers, safer in a world where credentials are the currency of cybercrime.