COMMENTARY: The piece points to a reality many MSSPs/MSPs already see with customers: password problems are usually about human behavior, not missing technology. Even with stronger authentication tools available, weak passwords and reused credentials remain one of the easiest ways for attackers to get in. For security teams, that means the job is not just turning on MFA or setting password policies. It also involves helping organizations build better habits through regular training, password managers, and systems that automatically enforce security rules. The providers that do this well combine user education with technical controls, so security does not rely on employees making the right choice every time.
The distinction of a “bad password” is no longer reserved for the obvious ones everybody knows are weak, like 123456 or “password.” The ones that are really concerning are passwords that look strong at first glance but are built from patterns cybercriminals already know how to guess.
Unfortunately, this is not common knowledge, and managed security service providers, along with internal IT and security teams, have their work cut out for them. One of the most effective ways to encourage stronger passwords among employees is through a combination of positive reinforcement and enforcement.
From a behavioral perspective, you can’t assume one annual training session will fix password habits. People are busy. They hear the guidance once, interpret it in their own way, and then go back to what’s easiest. That makes it important to reinforce password security repeatedly, in different formats, and in ways that feel practical.
At BOK Financial, password security is part of our required annual security awareness training, but I also incorporate it into almost every live session I conduct. For example, I present monthly to a required training program for newer employees, and I always include password security as one of the two basic things everyone needs to know to prevent most compromises, alongside phishing. I reinforce the same core messages in live presentations, internal cybersecurity news posts, and other awareness materials.
One approach that resonates with employees is demonstrating how some “pretty good” passwords still fail. When employees see that a password they would have considered strong was cracked in seconds by our threat analysts, it connects the dots. It’s not about calling out individuals; it’s about showing what actually happens when these patterns are tested so people can adjust their understanding of what strong really looks like.
A simple but very real obstacle to security is memory. It’s unrealistic to expect someone to memorize a different 16-character password for every account they use. One way to address this is to encourage employees to create and memorize strong, unique passphrases for their most sensitive accounts—such as their work network, primary email, and bank accounts—and use a reputable password manager for the rest.
On the enterprise side, that means providing an approved password manager and ensuring employees know it’s the right place to generate and store work-related passwords. If you don’t offer that option, employees will come up with their own workarounds—spreadsheets, notes, chat messages—which create different kinds of risks.
All of this must sit on top of technical controls and policy. Awareness alone is not enough. Systems should enforce a minimum standard so that weak passwords are never accepted. That includes requiring a certain length, enforcing password history and reuse rules, and enabling multifactor authentication wherever possible. Security teams should also run password tests to identify real-world weaknesses and adjust their education efforts accordingly. Policies that prevent passwords below a set character length from being used should also be implemented.
For organizations with limited security budgets, leaders should talk with their vendors about features already included in the tools they’re paying for. Many platforms support multifactor authentication, stronger password policies, and logging capabilities that simply haven’t been enabled.
Ultimately, the guidance remains consistent with recommendations from the Cybersecurity and Infrastructure Security Agency (CISA): teach employees how to recognize and report phishing, encourage strong and unique passphrases instead of short, simple words, enable multifactor authentication as a second layer of protection, and keep software updated so known vulnerabilities are patched. When these steps are combined with realistic guidance and technical controls that quietly enforce security standards, organizations are far more likely to see stronger password habits over time.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert’s staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to suparna.bhasin@cyberriskalliance.com.
