Winsage
April 30, 2025
The ability to use a revoked password for Remote Desktop Protocol (RDP) access on Windows machines linked to Microsoft or Azure accounts allows users to log in with either a dedicated password or the credentials from their online account. Even after changing the account password, the old password remains valid for RDP logins indefinitely, and in some cases, multiple previous passwords may still grant access. This behavior poses significant security risks, especially if the account has been compromised, as changing the password does not block access via RDP with the old password. The issue arises from credential caching on the local machine, where the initial login credentials are stored securely, allowing continued access without online verification.