The password is no longer a fortress in and of itself. In a landscape where attackers effortlessly bypass traditional defences, passwords have become more of a revolving door to a greater security fortress – one that needs to be built on resilience, not strength.
By Doros Hadjizenonos, regional director at Fortinet
For years, password length and complexity were the cornerstones of cyber-hygiene. Today, however, attackers are outmanoeuvring that strategy. FortiGuard Labs recorded over 100 billion stolen credentials traded on underground markets last year – a 42% surge fuelled by massive ‘combo lists’ harvested from past breaches. These lists enable cybercriminals to automate credential-stuffing at scale, meaning a single leaked username and password can unlock numerous corporate accounts in seconds.
Human behaviour compounds the problem. Approximately six in 10 people still reuse passwords across personal and professional accounts, while the average user juggles nearly 170 logins. It’s unrealistic to expect anyone to create and remember 170 unique, complex passphrases. Faced with this cognitive overload, weak habits emerge: recycled passwords, sticky notes, and temporary credentials that persist for years.
Attackers exploit this reality, primarily through phishing. Roughly 70% of stolen passwords originate from phishing campaigns, and the rise of AI-generated lures has made fraudulent emails and fake login pages nearly indistinguishable from legitimate ones. South African organisations, particularly small and medium-sized enterprises (SMEs), often lack the resources to filter every suspicious message, making them attractive targets.
Why complexity rules are losing their punch
Most corporate password policies still rely on complexity: a combination of 12 characters, mixed case, numbers, symbols, and mandatory resets. While complexity does slow brute-force cracking, its effectiveness diminishes once credentials are stolen or phished. Complexity increases the effort required for a direct attack, but it’s futile against attackers who purchase valid logins on the darknet.
Four priorities for South African defenders
- Make Multi-Factor Authentication (MFA) mandatory, everywhere. Industry studies indicate that MFA blocks over 99% of automated credential abuse. However, adoption across Africa remains around 50% and is often lower among SMEs. An organisation’s security is only as robust as its weakest privileged account. Therefore, every administrator console, VPN, and SaaS dashboard must be protected by an additional factor.
- Accelerate the shift to passwordless access. FIDO2 hardware keys, mobile passkeys, and platform-based biometrics cannot be replayed or phished. Organisations that pilot password-free logins typically experience a reduction in help desk calls and fewer account takeover alerts. These benefits should encourage broader adoption in South African organisations.
- Deploy enterprise-grade password managers. While passwordless solutions mature, most businesses operate in a hybrid environment. Password managers generate high-entropy passwords, securely autofill them, and audit reuse, while providing the governance logs increasingly required by regulators.
- Integrate identity intelligence into a broader security fabric. Fortinet’s Continuous Threat Exposure Management (CTEM) approach correlates leaked-credential intelligence with network telemetry. This enables automated credential resets when an employee’s email address appears on a combo list, preventing criminals from exploiting those credentials. Combined with AI-driven phishing protection, this approach minimises opportunities for attackers.