news 
Microsoft has confirmed a shocking revelation that is sure to make you question the security of your Windows account. In a move that is being met with confusion and concern, the tech giant has revealed that using an old Windows password, one that you have changed or had revoked, can still grant access to your machine.
According to reports, Microsoft’s Remote Desktop Protocol (RDP) allows for this anomaly, which is not considered a security vulnerability but rather a “design decision” to ensure that at least one user account remains accessible even if the system has been offline for an extended period. This means that even after changing or revoking a password, it may still be possible to use the old credentials to log in.
The news comes as a surprise, especially on World Password Day, which aims to raise awareness about the importance of strong and unique passwords. The discovery was made by independent security researcher Daniel Wade, who found that the old credentials would work from new machines and even without triggering any red flags for Microsoft’s security protections.
Microsoft has updated its documentation to reflect this behavior, stating that credentials are verified against a local cached copy before being authenticated over the network. This means that if you change your password in the cloud, the cached verifier will not be updated, allowing you to still access your local machine using the old password.
The company’s stance is that this is not a security vulnerability and has no plans to change the behavior. While some may argue that this raises concerns about the overall security of Windows accounts, Microsoft seems to view it as a necessary feature to ensure seamless access in certain situations.
This news serves as a reminder to users to prioritize password best practices, including regular updates and strong, unique combinations.
Source: https://www.forbes.com/sites/daveywinder/2025/05/01/windows-warning—microsoft-confirms-old-passwords-still-work-to-login/
