In an age of AI-powered threats and zero-trust frameworks, it’s remarkable how often the breach begins with something as basic (and preventable) as a bad password.

Despite major advancements in cybersecurity technology, human error remains the single biggest risk. And at the heart of that risk? Weak, reused or easily guessed passwords.

We have all seen them: Password123. Welcome2023. Companyname01. They’re predictable, they’re everywhere and they’re dangerous.

In our work across sectors such as finance, logistics, education and manufacturing, we still find weak passwords in nearly every environment we assess. Even in security-aware organisations, credentials are often the lowest-hanging fruit for attackers.

Why? Because they work.

Shocking statistics reveal that 57% of users admit to recycling variations of old passwords, and every 39 seconds an automated password guessing attack happens.

Counterintuitively, the same research highlights how 30% of websites don’t allow special characters in passwords and 17% don’t insist on a minimum length for passwords.

Bad actors don’t need to break in when they can log in. With credential stuffing, phishing and bruteforce attacks, attackers use automation to test billions of passwords across systems. If one password is reused anywhere, they’ll find it.

A bruteforce tool can crack an eight-character, lowercase password in seconds. A longer, complex password with mixed characters might take years. That time difference is your margin of safety.

The real-world impact of one bad credential

When a password falls into the wrong hands, it’s rarely a one-system compromise. Malefactors use it as a foothold. They escalate privileges, move laterally and map out the network. They don’t just steal data, they take full control.

The 2023 breach of Knights of Old, a UK logistics firm, is a sobering example. One weak password allowed attackers to gain entry. The result was a ransomware incident, operational shutdown and over 700 job losses. The company was forced into administration.

Unfortunately, this is not an isolated case. Password-related breaches have affected hospitals, schools, banks, governments and pretty much anywhere identity lies at the heart of access.

Once inside, threat actors don’t stay still. They steal intellectual property, customer data and financial records. They can shut down critical systems, which can lead to massive business continuity failures.

The damage goes far beyond downtime. Legal woes, hefty regulatory fines, and loss of customer trust and confidence are often worse than the incident itself.

Why weak passwords keep happening

Weak credentials persist not because we lack tools, but because we underestimate how humans use them.

Here’s what we often find in the field:

Lack of employee training: Without awareness, users default to convenience. They choose simple passwords or reuse them across accounts.
Weak or unenforced password policies: If you’re not mandating complexity, length, and expiration, weak passwords will thrive.
No multifactor authentication: Relying solely on a password is asking for trouble. If MFA isn’t enforced across all sensitive accounts, a single stolen password becomes a full compromise.
Poor visibility into credential hygiene: Many organisations don’t have tooling in place to audit password strength or reuse patterns.
Shadow IT and credential sprawl: Employees sign up for third-party tools using work emails and duplicate passwords, increasing risk without anyone noticing.

The result is a dangerous combination of good intentions and bad habits.

Building a strong password culture

A password policy needs to be more than a compliance document. It must become a behavioural framework. It must enforce best practices and support users in doing the right thing by default.

At a minimum, an effective password policy should:

Insist on at least 12-character passwords with a mix of uppercase, lowercase, numbers and symbols;
Prevent the reuse of recent passwords;
Enforce password changes every 90 to 180 days;
Lock accounts after repeated failed login attempts;
Encrypt passwords at rest using strong hashing algorithms; and
Mandate MFA, particularly for privileged and remote access.

However, policies alone aren’t enough. Implementation is where most organisations fall short. The success of any policy depends on consistent enforcement and ongoing user education.

What CyberStack is doing about it

At CyberStack, we find weak passwords during most our assessments, and this doesn’t matter whether the client is an SME with a single IT admin or a multinational enterprise with a full security operations centre.

That’s why we’ve built a practical, results-driven solution, a two-day password policy and awareness training course designed to help teams:

Understand why strong passwords matter (and how attackers exploit the weak ones);
Build passwords that balance security and usability;
Avoid common traps like reuse and predictable phrases;
Spot phishing attempts that seek to harvest credentials; and
Implement and enforce a policy that fits your organisation’s risk profile.

We also tailor the course to your environment, whether you’re in healthcare, retail, education or financial services.

At the end of the day, this isn’t just about passwords, it’s about culture. It’s about ensuring that your first line of defence (your users) are equipped to protect themselves and your business.

Learn more or sign up for CyberStack’s password training at cyberstack.co.za.