COMMENTARY: Password cracking isn’t just another tactic anymore - it’s become one of the most common ways attackers gain their first foothold. It's not just about the technical side of MFA missteps or GPU power; it is also about the human factor that so often gets overlooked. Role-based training is the turning point here. You can’t expect a finance lead, an IT admin, and a facilities manager to all benefit from the same generic phishing module. Making training situational, relevant, and tied to real risks is how you change behavior. That’s also where MSPs and MSSPs can step in - bridging the gap between technology and people, and helping clients close one of the most exploited doors in the enterprise today.
Successful credential cracking has nearly doubled this year, with at least one password hash being cracked in 46% of tested environments, up from just 25% last year, according to the
Picus Blue Report 2025.As someone who has been in cybersecurity for over two decades, these numbers reveal a troubling trend in how we’ve approached credential security and user training over the past few years.
Why Password Cracking Is Surging
The surge in successful password cracking stems from a dangerous misconception that has swept through the industry. Around five years ago, many organizations relaxed their password standards, believing multi-factor authentication (MFA) would compensate for weak credentials. But here’s the reality: most organizations implement MFA poorly.
If you use a password and a token, but the token is weak and predictable, you’re not much stronger than just a password. It’s like using two bad locks instead of one good one.
This false sense of security compounds two other critical issues. First, modern GPU clusters can now crack passwords at unprecedented speeds—what once took years a decade ago now takes hours. Second, the average employee manages over 100 passwords. Without password managers, they inevitably reuse credentials or create predictable variations—not out of carelessness, but because they’re overwhelmed.
The Channel Opportunity: From Problem to Solution
For MSSPs and other channel professionals, this crisis presents an opportunity. They are well positioned to address both the technical challenges of proper MFA implementation and the human element of credential security awareness. Clients need help bridging the gap between technology and behavior, and that’s exactly where channel partners excel.
Here’s one example: Infosec Institute’s research found that
nearly a third of organizations (31%) still use the same training for all employees. The industry must shift from this one-size-fits-all approach to targeted, role-based education that speaks to each user’s reality.
- Leadership teams face sophisticated spear-phishing and whaling attacks. They need training on how attackers weaponize information from LinkedIn and social media. Showing them real examples using their own public profiles can be eye-opening.
- IT and technical teams require in-depth training on proper MFA implementation, secure credential storage, and recognizing advanced persistence techniques. They must understand why certain configurations that appear secure can still be bypassed.
- Specialized roles like finance and HR are prime targets. Training should focus on risks like business email compromise for finance and W-2 scams for HR, tailored to their daily responsibilities.
- General employees need practical guidance: how to use password managers, why not to reuse credentials, and how to spot scams like the “urgent” CEO gift card request.
When training aligns with real responsibilities and challenges, engagement rises—and behaviors change.
Identifying Real Risk Profiles
Beyond roles, it’s essential to identify high-risk users—and they’re not always who you’d expect. Executives and IT admins are obvious targets. But don’t overlook the marketing team with social media access, the executive assistant sending emails on leadership’s behalf, or the facilities manager controlling physical access systems.
Also consider repeat offenders who consistently fall for phishing or use weak passwords. The
Picus Report found that attacks using valid accounts had a 98% success rate. If users make it easy for bad actors to exploit valid accounts, organizations must address them—through one-on-one coaching or by limiting their access with technical controls.
AI-Powered Solutions and Practical Steps
Artificial intelligence is reshaping both attacks and defenses. Attackers use AI to generate convincing phishing emails, analyze breach databases for password patterns, and even deploy deepfake audio or video. Traditional markers of social engineering are becoming harder to spot. For MSPs, this requires evolving defenses:
- Use AI-powered tools for password auditing to flag weak, reused, or compromised credentials.
- Deploy password managers universally—not just for IT. Make security easier than insecurity.
- Create AI-enhanced, role-specific training, including phishing simulations with deepfake scenarios.
- Monitor high-risk users with behavioral analytics to detect unusual activity early.
- Validate security regularly through simulated attacks instead of waiting for real ones.
The Bottom Line
The doubling of password cracking rates is a wake-up call. MFA misconceptions, weak passwords, and AI-powered attacks are converging to create a dangerous environment.
This challenge is solvable, but not through technology alone. Smarter, role-based education—grounded in how people actually work—is the missing piece. Organizations that evolve training beyond “check-the-box” programs will be far better positioned to avoid next year’s breach statistics.
Clients need guidance in navigating this landscape. The question isn’t
whether to address role-based training, but
how quickly it can be implemented before attackers exploit the gaps.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].