Passwords remain a cybersecurity mainstay, surviving despite years of predictions about their demise. Even with constant warnings from security professionals, users still rely on weak choices—like a dog’s name or home address. So, what is an MSP to do?
For starters, encourage—or require—strong, hard-to-guess passwords. Then, ensure those credentials are stored securely in a password manager.
For MSPs helping SMB clients rein in credential chaos, password managers have become indispensable. But like any powerful tool, they come with risks. MSPs that don’t address those risks upfront may find themselves cleaning up avoidable security incidents later.
The credential crisis isn’t going away
The credential problem remains stubbornly persistent. A study of 19 billion leaked passwords found that 94 percent were reused or duplicated. According to the 2025 Verizon Data Breach Investigations Report, stolen credentials appeared as the initial access vector in 22 percent of all confirmed breaches.
Meanwhile, IBM reports that the average cost of a data breach has climbed to $4.88 million, and breaches involving stolen credentials take an average of 292 days to identify and contain—the longest of any breach type.
Jennifer Williams, Managing Director at Secarma, warns MSPs about both the promise and the peril of password managers: “Password managers can solve password chaos, but MSPs need to be upfront with clients: if every credential sits in one vault, that vault needs to be protected like critical infrastructure.”
Where password managers create risk
The fundamentals of a secure setup matter enormously, Williams explains. This includes MFA, strong master passwords or passkeys where supported, separate vaults for admin credentials, fewer shared logins, and regular access reviews.
But the real problems emerge when governance slips. “An employee leaves, a supplier keeps access longer than needed, or admin credentials sit in a shared vault with no clear audit trail—and suddenly the tool designed to reduce risk becomes a weak point.”
This is where many organizations fall short. Password managers don’t introduce risk on their own—mismanagement does.
Lessons from real-world breaches
Adri Leite, CEO of Cliffside Cybersecurity, points to the LastPass breach as an instructive—and often misunderstood—example. “It gets quoted as proof that vaults are a single point of failure, but that is the wrong lesson,” he says. “The attackers stole encrypted vaults, but the encryption held. What really failed was vaults with weak master passwords that were cracked offline over time. The strong ones do not appear to have been compromised at scale.”
Leite stresses that the solution isn’t to abandon password managers, but to strengthen the variable that truly matters: the master passphrase.
He recommends using a strong master passphrase that is regularly screened against breached password lists, combined with phishing-resistant MFA on the vault itself. This ensures that a stolen password doesn’t automatically become a stolen skeleton key.
He also reinforces a key principle MSPs should enforce across all clients: separate high-risk credentials from everyday access. “Crypto keys, domain registrars, and root admin accounts must not be in the same vault as your Netflix login.”
Vanishing passwords—in a few places
For more mature organizations, the future is trending toward passwordless authentication. Some have gone passwordless entirely, moving to phishing-resistant methods like YubiKey tokens,” says Leite. “These organizations are ahead of the curve—and it’s where most businesses should be heading.”
However, most organizations aren’t there yet, whether due to budget constraints or maturity gaps. In the meantime, a well-managed password manager remains a practical and effective interim solution.
The MSP’s role in getting it right
Williams emphasizes that MSPs play a critical role in enforcing governance and best practices. This includes helping clients segment access, monitor vault activity, test recovery processes, and integrate password management into a broader identity security strategy.
A password manager should strengthen security—not concentrate risk into a single, poorly managed control point.
Cam Roberson, VP of Channel at Beachhead Solutions, highlights a broader truth: “Every convenience feature or productivity tool introduced into an environment can also introduce new risk. Security is always a balance between convenience and exposure, and SMBs need to understand both sides of that equation.”
Why layered security still wins
Roberson advocates for a layered defense approach. “If the first control fails, there needs to be another layer ready to respond. No single security tool is infallible.”
But he also challenges MSPs to think beyond prevention. “It’s not just about keeping attackers out—it’s about minimizing damage if they get in. Whether they cross the moat or walk through an unlocked gate, the question becomes: what happens next?”
That answer should be clear for every MSP. Controls like encryption, access management, segmentation, monitoring, and rapid response capabilities all play a role in reducing the impact of a breach.
Roberson sums it up clearly: “The goal isn’t to create the illusion of perfect security. The goal is to build resilience—so when a control fails, the organization remains protected and the damage is contained.”
Photo: Waniza / Shutterstock
