Analysis Summary

Microsoft has acknowledged that its Remote Desktop Protocol (RDP) can allow users to log in using old passwords, even after those passwords have been changed or revoked. This occurs specifically with Microsoft or Azure accounts, where the password is verified online during the first login and then stored locally in a cryptographically secure format. Subsequent RDP logins compare input credentials against the local cache rather than revalidating them online. As a result, even outdated or compromised credentials can still grant access, bypassing modern security protections such as multifactor authentication and Conditional Access policies.

An independent security researcher brought this issue to light, emphasizing that this behavior represents a serious breakdown of user trust. Users naturally assume that changing a password immediately cuts off access to anyone with the old credentials. However, Researcher warns that millions of users, from individuals to small businesses, may remain unknowingly exposed. This is because Windows continues to accept previously valid, cached credentials without alerting users, creating a potential backdoor for attackers who have already obtained older passwords.

Despite growing concern among cybersecurity professionals, Microsoft has refused to categorize this behavior as a bug or vulnerability. Instead, the company defends it as an intentional design feature meant to ensure that at least one user can always log in, even when a device is offline for long periods. Microsoft argues that altering this behavior might break compatibility with existing applications. Though the company has updated documentation to reflect the risks, it has not issued security advisories or alerts, and its own tools, such as Microsoft Defender and Azure Security, do not flag this behavior.

For now, security experts recommend that organizations re-evaluate their use of RDP and limit remote access where possible. They suggest enforcing local authentication rather than relying on cached credentials tied to cloud accounts. Microsoft’s refusal to change this mechanism or treat it as a security issue underscores a larger disconnect between how users expect password security to function and how Windows authentication is designed, leaving many systems potentially vulnerable despite following routine security best practices.

Impact

• Security Bypass
• Gain Access

Remediation

• Limit the use of Remote Desktop Protocol to only essential systems to reduce exposure.
• Configure RDP to authenticate only with local credentials rather than Microsoft or Azure accounts.
• Apply Group Policy settings to prevent the caching of credentials or disable credential caching entirely.
• Enable NLA to ensure users are authenticated before an RDP session is established.
• Restrict RDP access to internal networks or secure VPNs, avoiding exposure to the public internet.
• Regularly review login activity and audit logs for any unauthorized or suspicious access attempts.
• While they may not block cached credentials, enforcing MFA and conditional policies can reduce other attack vectors.
• Frequently update local account credentials used for RDP to invalidate potential reused cached passwords.
• Ensure IT staff and end users are aware of this design limitation and its security implications.
• Stay informed about any future changes or mitigations Microsoft may implement regarding RDP behavior.