u/JessicaConnectWise

Hey everyone, we want to let you know that ConnectWise posted a security bulletin today on our Trust Center, notifying On-Prem ConnectWise Automate™ partners of the 2026.5 release, which contains a security update.

You can review the bulletin here. ConnectWise Automate™ 2026.5 Security Update | ConnectWise

As always, for real-time updates, we strongly encourage you to subscribe to the ConnectWise security bulletin RSS feed!

If you have any questions, please feel free to post them here or email help@connectwise.com to connect with our support team.

We’ve spent years telling users to create strong passwords. And sure, password security still matters. 

But here’s what we’re seeing more and more across MSP environments: 

Attackers aren’t trying to crack passwords anymore… they’re just logging in. 

Credential-based attacks (phishing, infostealers, credential stuffing) are quickly becoming one of the top risks for MSPs. Once valid credentials are in play, even the strongest password doesn’t really help. 

So it raises a question has our “password strategy” kept up? 

A few shifts ConnectWise is seeing among more mature MSPs: 

• Assuming credential compromise is inevitable 
• Designing around it instead of treating it as an edge case 
• Rethinking MFA

 

Moving toward phishing-resistant methods vs. basic push approvals 

• Doubling down on password management for MSPs

 

Not just vaulting, but enforcing policies, reducing reuse, and improving visibility across client environments 

• Exploring passwordless approaches

 

Passkeys and device-based auth are starting to gain real traction 

• Adding visibility into credential exposure

 

Because you can’t protect what you don’t know is already compromised 

Feels like “password security” alone is becoming table stakes and the real conversation is shifting toward broader identity security. 

Curious how others here are approaching it:

Are you still focusing heavily on password complexity, or evolving your password strategy beyond that?