1 day Ago
Microsoft has confirmed using an old Windows password can still log you in. File under what the actual heck, especially on World Password Day. Microsoft has confirmed that, in certain circumstances, using an old Windows password, one that you have changed, that has been revoked, will still enable a successful login.
Yes, you read that right, and it gets worse: Microsoft says this is a feature, not a password security vulnerability , and has no plans to change the behavior. As you might imagine, in the run-up to World Password Day on May 1, there have been a myriad of password warning stories to grab your attention. Everything from a Microsoft password spraying attack , malware publishing more than 1.
7 billion stolen passwords to criminal forums, and details of sinister password thief known as The ToyMaker emerging. What I never expected to see, however, was Microsoft confirm that an old and revoked password could still be used to access your Windows account, and such behavior wasn’t a security vulnerability but a feature. Yet here we are.
Who needs an automatic password hacking machine when you’ve got this insanity? As first reported by Dan Goodin for Ars Technica, the problem sits with the Remote Desktop Protocol used to enable a remote user to log in and use their Windows machine as if they were physically sat in front of it. The same protocol that is much beloved by criminal hackers, it has to be said, which makes the whole feature not a bug password problem even more mind-boggling. Daniel Wade, an independent security researcher, contacted Microsoft’s security response center when discovering that, after changing a password, the old one could still give access to the Windows machine.
Wade found that such old credentials worked from new machines, Microsoft’s security protections didn’t raise any red flags when using them, and, wait for it, there’s no way for an end-user to detect, let alone fix, the issue. What it has done is update some documentation so as to state that credentials are verified against a local cached copy before being authenticated over the network. “If the user changes their password in the cloud,” the documentation now states , “the cached verifier is not updated, which means that they can still access their local machine using their old password.
” I have reached out to Microsoft for a statement, but in the meantime, the response to Wade was that the issue was “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” Microsoft told Wade that this wasn’t a Windows security vulnerability, according to Goodin, and Microsoft security engineers had no plans to change it..
