SSO/MFA, MSSP, MSP

The Credential Cracking Crisis: Why Role-Based Training Is No Longer Optional

COMMENTARY: Password cracking isn’t just another tactic anymore - it’s become one of the most common ways attackers gain their first foothold. It's not just about the technical side of MFA missteps or GPU power; it is also about the human factor that so often gets overlooked. Role-based training is the turning point here. You can’t expect a finance lead, an IT admin, and a facilities manager to all benefit from the same generic phishing module. Making training situational, relevant, and tied to real risks is how you change behavior. That’s also where MSPs and MSSPs can step in - bridging the gap between technology and people, and helping clients close one of the most exploited doors in the enterprise today.


Successful credential cracking has nearly doubled this year, with at least one password hash being cracked in 46% of tested environments, up from just 25% last year, according to the Picus Blue Report 2025.

As someone who has been in cybersecurity for over two decades, these numbers reveal a troubling trend in how we’ve approached credential security and user training over the past few years.

Why Password Cracking Is Surging

The surge in successful password cracking stems from a dangerous misconception that has swept through the industry. Around five years ago, many organizations relaxed their password standards, believing multi-factor authentication (MFA) would compensate for weak credentials. But here’s the reality: most organizations implement MFA poorly.

If you use a password and a token, but the token is weak and predictable, you’re not much stronger than just a password. It’s like using two bad locks instead of one good one.

This false sense of security compounds two other critical issues. First, modern GPU clusters can now crack passwords at unprecedented speeds—what once took years a decade ago now takes hours. Second, the average employee manages over 100 passwords. Without password managers, they inevitably reuse credentials or create predictable variations—not out of carelessness, but because they’re overwhelmed.

The Channel Opportunity: From Problem to Solution

For MSSPs and other channel professionals, this crisis presents an opportunity. They are well positioned to address both the technical challenges of proper MFA implementation and the human element of credential security awareness. Clients need help bridging the gap between technology and behavior, and that’s exactly where channel partners excel.

Here’s one example: Infosec Institute’s research found that nearly a third of organizations (31%) still use the same training for all employees. The industry must shift from this one-size-fits-all approach to targeted, role-based education that speaks to each user’s reality.

  • Leadership teams face sophisticated spear-phishing and whaling attacks. They need training on how attackers weaponize information from LinkedIn and social media. Showing them real examples using their own public profiles can be eye-opening.
  • IT and technical teams require in-depth training on proper MFA implementation, secure credential storage, and recognizing advanced persistence techniques. They must understand why certain configurations that appear secure can still be bypassed.
  • Specialized roles like finance and HR are prime targets. Training should focus on risks like business email compromise for finance and W-2 scams for HR, tailored to their daily responsibilities.
  • General employees need practical guidance: how to use password managers, why not to reuse credentials, and how to spot scams like the “urgent” CEO gift card request.

When training aligns with real responsibilities and challenges, engagement rises—and behaviors change.

Identifying Real Risk Profiles

Beyond roles, it’s essential to identify high-risk users—and they’re not always who you’d expect. Executives and IT admins are obvious targets. But don’t overlook the marketing team with social media access, the executive assistant sending emails on leadership’s behalf, or the facilities manager controlling physical access systems.

Also consider repeat offenders who consistently fall for phishing or use weak passwords. The Picus Report found that attacks using valid accounts had a 98% success rate. If users make it easy for bad actors to exploit valid accounts, organizations must address them—through one-on-one coaching or by limiting their access with technical controls.

AI-Powered Solutions and Practical Steps

Artificial intelligence is reshaping both attacks and defenses. Attackers use AI to generate convincing phishing emails, analyze breach databases for password patterns, and even deploy deepfake audio or video. Traditional markers of social engineering are becoming harder to spot. For MSPs, this requires evolving defenses:

  • Use AI-powered tools for password auditing to flag weak, reused, or compromised credentials.
  • Deploy password managers universally—not just for IT. Make security easier than insecurity.
  • Create AI-enhanced, role-specific training, including phishing simulations with deepfake scenarios.
  • Monitor high-risk users with behavioral analytics to detect unusual activity early.
  • Validate security regularly through simulated attacks instead of waiting for real ones.

The Bottom Line

The doubling of password cracking rates is a wake-up call. MFA misconceptions, weak passwords, and AI-powered attacks are converging to create a dangerous environment.

This challenge is solvable, but not through technology alone. Smarter, role-based education—grounded in how people actually work—is the missing piece. Organizations that evolve training beyond “check-the-box” programs will be far better positioned to avoid next year’s breach statistics.

Clients need guidance in navigating this landscape. The question isn’t whether to address role-based training, but how quickly it can be implemented before attackers exploit the gaps.


MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].

Keatron Evans

Keatron Evans is at the forefront of AI-driven cybersecurity innovation. As VP of Portfolio Product and AI Strategy at Infosec, he leads the development of cutting-edge solutions that are redefining industry standards. With over 20 years of experience, Keatron brings a unique blend of expertise as an AI pioneer, product visionary, cybersecurity expert and intelligence sector innovator.

Keatron is an AWS-certified Generative AI Subject Matter Expert, a founding member of an AI company that developed offensive cybersecurity tools for U.S. intelligence organizations, and author of “Chained Exploits: Advanced Hacking Attacks from Start to Finish.” He is a sought-after speaker at major industry events like the RSA Conference and a trusted expert for media outlets including CNN and Fox News. His forward-thinking approach focuses on harnessing AI to create adaptive cybersecurity solutions, positioning him as a key influencer in the private and public sectors.

Beyond his professional pursuits, Keatron is an avid martial artist and musician, bringing a multifaceted perspective to his innovative work in technology and leadership.

You can skip this ad in 5 seconds