The ability to utilize a revoked password for Remote Desktop Protocol (RDP) access is a nuanced feature of Windows machines linked to Microsoft or Azure accounts. When remote desktop access is enabled, users can log in using a dedicated password that is validated against credentials stored locally on the device. Alternatively, they may opt to use the credentials associated with the online account that was originally employed to sign into the machine.
Even after a user changes their account password, the old password remains valid for RDP logins indefinitely. Reports from security expert Wade indicate that, in some instances, multiple previous passwords may still grant access, while newer ones do not. This creates a scenario where persistent RDP access can circumvent cloud verification, multifactor authentication, and Conditional Access policies.
Experts warn that this little-known behavior could lead to significant security risks, particularly if a Microsoft or Azure account has been compromised—especially in cases where passwords have been publicly exposed. In such situations, changing the password is a crucial step to thwart unauthorized access to sensitive resources. However, while this action effectively blocks an adversary from logging into the Microsoft or Azure account, the old password continues to provide access to the user’s machine via RDP indefinitely.
Wade articulated this concern in his report, stating, “This creates a silent, remote backdoor into any system where the password was ever cached. Even if the attacker never had access to that system, Windows will still trust the password.”
Will Dormann, a senior vulnerability analyst at the security firm Analygence, echoed these sentiments, noting, “It doesn’t make sense from a security perspective. If I’m a sysadmin, I’d expect that the moment I change the password of an account, then that account’s old credentials cannot be used anywhere. But this is not the case.”
Credential caching is a problem
The underlying mechanism that facilitates this issue is credential caching on the local machine’s hard drive. Upon the initial login using Microsoft or Azure account credentials, RDP verifies the password’s validity online. Subsequently, Windows securely stores the credential in a cryptographically protected format on the device. From that point forward, any password entered during an RDP login is validated against the locally stored credential without requiring an online check. Consequently, even a revoked password retains the ability to provide remote access through RDP.
