In a surprising revelation, Microsoft has acknowledged that under certain conditions, users can still log into their Windows accounts using old passwords—ones that have been changed and revoked. This peculiar behavior, confirmed by the tech giant, is being classified not as a security vulnerability but rather as a feature, leaving many in the cybersecurity community scratching their heads.
When Is A Revoked Windows Password Still An Active Windows Password?
As World Password Day approaches on May 1, the tech world has been rife with alarming stories about password security. Reports of Microsoft password spraying attacks, malware distributing over 1.7 billion stolen passwords, and the emergence of a notorious password thief known as The ToyMaker have dominated headlines. Yet, the unexpected confirmation from Microsoft regarding the functionality of old passwords has taken the spotlight in an entirely different way.
The issue stems from the Remote Desktop Protocol (RDP), a feature that allows remote users to access their Windows machines as if they were sitting right in front of them. While this protocol is widely used for legitimate purposes, it has also gained notoriety among cybercriminals, making Microsoft’s stance on this “feature” all the more perplexing.
Independent security researcher Daniel Wade uncovered this anomaly when he discovered that after changing his password, he could still access his Windows machine using the old credentials. His investigation revealed that these outdated passwords worked even from new devices, and Microsoft’s security measures failed to flag this unusual activity. Alarmingly, there is no way for end-users to detect or rectify this situation.
In response to Wade’s findings, Microsoft updated its documentation to clarify that credentials are verified against a local cached copy before being authenticated over the network. The updated guidance indicates that if a user changes their password in the cloud, the cached verifier remains unchanged, allowing continued access to the local machine with the old password.
When approached for a statement, Microsoft explained that this design decision was made to ensure that at least one user account can always log in, regardless of how long a system has been offline. They reiterated that this behavior does not constitute a security vulnerability and confirmed that there are no plans to modify it.
