Windows RDP lets you log in using revoked passwords. Microsoft is OK with that.

The ability to use a revoked password to log in through RDP occurs when a Windows machine that’s signed in with a Microsoft or Azure account is configured to enable remote desktop access. In that case, users can log in over RDP with a dedicated password that’s validated against a locally stored credential. Alternatively, users can log in using the credentials for the online account that was used to sign in to the machine.

Even after users change their account password, however, it remains valid for RDP logins indefinitely. In some cases, Wade reported, multiple older passwords will work while newer ones won’t. The result: persistent RDP access that bypasses cloud verification, multifactor authentication, and Conditional Access policies.

Wade and another expert in Windows security said that the little-known behavior could prove costly in scenarios where a Microsoft or Azure account has been compromised, for instance when the passwords for them have been publicly leaked. In such an event, the first course of action is to change the password to prevent an adversary from using it to access sensitive resources. While the password change prevents the adversary from logging in to the Microsoft or Azure account, the old password will give an adversary access to the user’s machine through RDP indefinitely.

“This creates a silent, remote backdoor into any system where the password was ever cached,” Wade wrote in his report. “Even if the attacker never had access to that system, Windows will still trust the password.”

Will Dormann, a senior vulnerability analyst at security firm Analygence, agreed.

“It doesn’t make sense from a security perspective,” he wrote in an online interview. “If I’m a sysadmin, I’d expect that the moment I change the password of an account, then that account’s old credentials cannot be used anywhere. But this is not the case.”

Credential caching is a problem

The mechanism that makes all of this possible is credential caching on the hard drive of the local machine. The first time a user logs in using Microsoft or Azure account credentials, RDP will confirm the password’s validity online. Windows then stores the credential in a cryptographically secured format on the local machine. From then on, Windows will validate any password entered during an RDP login by comparing it against the locally stored credential, with no online lookup. With that, the revoked password will still give remote access through RDP.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!