World Password Day is almost here again (1 May) — a ceremonial reminder that, yes, we’re still letting “Welcome123” guard our most valuable data.
South African companies are haemorrhaging billions to cybercrime — R2.2 billion a year, by Interpol’s count — and a big part of the problem is something we all think we’ve got covered: passwords. In 2025, that’s borderline absurd.
Yes, biometrics are on the rise. Multi-factor authentication (MFA) adoption is growing. But if you thought that meant passwords were dead, think again. They’re still the first gate most attackers try to unlock — and the most neglected line of defence inside most businesses.
Worse: this isn’t a technical failure. It’s a human one.
According to SABRIC and multiple local cybersecurity consultancies, password-related breaches are still among the top entry points for attackers in South Africa. The tools are available. The policies are (mostly) in place. What’s missing? Culture.
Because here’s the truth: you can mandate password changes every 90 days, force minimum character lengths, and demand a mix of letters, numbers, and punctuation. But if your staff is just adding a “1!” to the end of the same word every time, you’re not solving the problem — you’re just annoying everyone while leaving the front door wide open.
And they know the door’s open. Threat actors have evolved from brute-forcing logins to scanning for reused credentials on the dark web. If someone used the same password for LinkedIn in 2012 and your CRM in 2024? That’s a breach waiting to happen.
Security awareness firm KnowBe4 — whose training platform is used by over 70,000 organisations globally — has three blunt recommendations for breaking the cycle:
- Use passphrases, not complicated nonsense. Think correcthorsebatterystaple, not B@f!x9^dR (test your password strength with KnowBe4’s password strength test)
- Use a password manager. You’re not meant to remember 76 different logins. That’s what apps are for.
- Enable MFA wherever you can. One password shouldn’t be the master key.
That’s not revolutionary advice. But that’s the point. The fact that it still needs saying in 2025 tells you everything you need to know about the state of password hygiene in corporate South Africa.
World Password Day is symbolic — but it’s also a mirror. If you don’t like what you see in it, don’t blame the day. Blame the fact that we’re still letting 8-character strings decide the fate of billion-rand networks.