Microsoft RDP apparently lets you log in with expired passwords - and it apparently doesn't have plans to fix the issue

Security researcher Daniel Wade has discovered a protocol within Microsoft’s Remote Desktop Protocol (RDP), which allows users to log into machines using revoked passwords.

Wade’s report warns “this isn’t just a bug. It’s a trust breakdown,” reminding Microsoft that people change their passwords trusting that this will “cut off unauthorized access”, making this feature entirely counter-intuitive. Wade cautioned “millions of users—at home, in small businesses, or hybrid work setups—are unknowingly at risk.

Surprisingly, in its response, Microsoft said this behaviour is not a bug – instead calling it, “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.”

A feature, not a bug

Microsoft confirmed the issue did not meet its definition of a security vulnerability, and that the firm has no plans to make any changes to this.

According to Wade’s report, there’s no clear way for end-users to detect or fix the issue on their end either, and Azure, Defender, Entra ID don’t raise any flags, leaving users vulnerable even if they’re taking protective measures.

“This creates a silent, remote backdoor into any system where the password was ever cached. Even if the attacker never had access to that system, Windows will still trust the password,” Wade argues.

Credential stealing and data breaches are far too common, and compromised passwords are a serious risk to businesses and users alike. Research has shown that security attacks on password managers have soared, with attacks growing more frequent and sophisticated.

This means regular password rotation is an important facet of cybersecurity, and best password hygiene practices centre revoking old, reused, or compromised passwords – making this feature all the more confusing and concerning.

Via Ars Technica

Take a look at our picks for the best malware removal software around
Check out our choice for best antivirus software
Beware, hackers can apparently now send phishing emails from “[email protected]”

Microsoft RDP apparently lets you log in with expired passwords – and it apparently doesn’t have plans to fix the issue

Assassin’s Creed Shadows best graphics settings for PS5, PS5 Pro, and Xbox Series X

Upcoming Switch games for 2025 and beyond

MFA alone won’t protect you in 2025: the new cybersecurity imperative

Adobe Max London 2025 live – all the new features coming to Photoshop, Firefly, Premiere Pro and more

A feature, not a bug

You might also like

Here is the world’s first true triple screen setup that can turn a laptop into a quad-display workstation

Google’s chatbot is now showing ads when talking to AI startups

Google Password manager is a favourite amongst TechRadar Pro readers – what’s yours?

Here is the world’s first true triple screen setup that can turn a laptop into a quad-display workstation

Why I Prioritize Fast Charging Over Battery Capacity

Google’s chatbot is now showing ads when talking to AI startups

Google Password manager is a favourite amongst TechRadar Pro readers – what’s yours?

Forget the Steam Deck, Cyberpunk 2077 on Nintendo Switch 2 is ‘the more Cyberpunk way’ to play, per CD Projekt Red

Prime Video’s ‘Shop the Show’ feature just got bigger –and I fear it could ruin some of the streamer’s best shows