1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Microsoft RDP apparently lets you log in with expired passwords -

    From TechnologyDaily@1337:1/100 to All on Thu May 1 15:30:08 2025
    Microsoft RDP apparently lets you log in with expired passwords - and it apparently doesn't have plans to fix the issue

    Date:
    Thu, 01 May 2025 14:23:00 +0000

    Description:
    Changing passwords could be basically pointless for Microsoft RDP.

    FULL STORY ======================================================================Security
    researcher Daniel Wade discovers worrying Microsoft RDP feature This allows old credentials to be used when logging in Microsoft has confirmed it has no plans to change this

    Security researcher Daniel Wade has discovered a protocol within Microsofts Remote Desktop Protocol (RDP), which allows users to log into machines using revoked passwords.

    Wades report warns this isnt just a bug. Its a trust breakdown, reminding Microsoft that people change their passwords trusting that this will cut off unauthorized access, making this feature entirely counter-intuitive. Wade cautioned millions of usersat home, in small businesses, or hybrid work setupsare unknowingly at risk.

    Surprisingly, in its response, Microsoft said this behaviour is not a bug - instead calling it, a design decision to ensure that at least one user
    account always has the ability to log in no matter how long a system has been offline. A feature, not a bug

    Microsoft confirmed the issue did not meet its definition of a security vulnerability, and that the firm has no plans to make any changes to this.

    According to Wades report, theres no clear way for end-users to detect or fix the issue on their end either, and Azure, Defender, Entra ID dont raise any flags, leaving users vulnerable even if theyre taking protective measures.

    This creates a silent, remote backdoor into any system where the password was ever cached. Even if the attacker never had access to that system, Windows will still trust the password, Wade argues.

    Credential stealing and data breaches are far too common, and compromised passwords are a serious risk to businesses and users alike. Research has
    shown that security attacks on password managers have soared , with attacks growing more frequent and sophisticated.

    This means regular password rotation is an important facet of cybersecurity, and best password hygiene practices centre revoking old, reused, or compromised passwords - making this feature all the more confusing and concerning.

    Via Ars Technica You might also like Take a look at our picks for the best malware removal software around Check out our choice for best antivirus software Beware, hackers can apparently now send phishing emails from no-reply@google.com



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/microsoft-rdp-apparently-lets-you-log-i n-with-expired-passwords-but-it-doesnt-plan-to-fix-this


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)