Subj : Microsoft RDP apparently lets you log in with expired passwords - To : All From : TechnologyDaily Date : Thu May 01 2025 15:30:08 Microsoft RDP apparently lets you log in with expired passwords - and it apparently doesn't have plans to fix the issue Date: Thu, 01 May 2025 14:23:00 +0000 Description: Changing passwords could be basically pointless for Microsoft RDP. FULL STORY ======================================================================Security researcher Daniel Wade discovers worrying Microsoft RDP feature This allows old credentials to be used when logging in Microsoft has confirmed it has no plans to change this Security researcher Daniel Wade has discovered a protocol within Microsofts Remote Desktop Protocol (RDP), which allows users to log into machines using revoked passwords. Wades report warns this isnt just a bug. Its a trust breakdown, reminding Microsoft that people change their passwords trusting that this will cut off unauthorized access, making this feature entirely counter-intuitive. Wade cautioned millions of usersat home, in small businesses, or hybrid work setupsare unknowingly at risk. Surprisingly, in its response, Microsoft said this behaviour is not a bug - instead calling it, a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline. A feature, not a bug Microsoft confirmed the issue did not meet its definition of a security vulnerability, and that the firm has no plans to make any changes to this. According to Wades report, theres no clear way for end-users to detect or fix the issue on their end either, and Azure, Defender, Entra ID dont raise any flags, leaving users vulnerable even if theyre taking protective measures. This creates a silent, remote backdoor into any system where the password was ever cached. Even if the attacker never had access to that system, Windows will still trust the password, Wade argues. Credential stealing and data breaches are far too common, and compromised passwords are a serious risk to businesses and users alike. Research has shown that security attacks on password managers have soared , with attacks growing more frequent and sophisticated. This means regular password rotation is an important facet of cybersecurity, and best password hygiene practices centre revoking old, reused, or compromised passwords - making this feature all the more confusing and concerning. Via Ars Technica You might also like Take a look at our picks for the best malware removal software around Check out our choice for best antivirus software Beware, hackers can apparently now send phishing emails from no-reply@google.com ====================================================================== Link to news story: https://www.techradar.com/pro/security/microsoft-rdp-apparently-lets-you-log-i n-with-expired-passwords-but-it-doesnt-plan-to-fix-this --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .