There is no way this can be a feature. Take the following example. A computer retail store such as Staples use password protected screen savers to secure all of their computers. If they fired a disgruntle employee and change all of the passwords he can still come back (Or have someone come back for him) and do what ever he likes. Most retail stores do not shut the display computers off at night because it just add more to the list of things to do so, therefore the old password will always work. Not having access to a XP box I am curious to know if you change the password three times would the two old passwords work? -John Thornton Editor in Chief Hacker's Digest Magazine http://www.hackersdigest.com ----- Original Message ----- From: Ghazi H. Al Wadi [NGHA-CTC] To: vuln-devat_private Sent: Monday, April 29, 2002 11:32 PM Subject: XP Screen Saver password uses Old password until logout or New one is used. Hi, Today I have as usual, changed my PC logon password (XP Home Edition). When the screen saver started, I dismissed it and by force of habit, I typed the old password. To my surprise I was able to unlock the screen saver using the old password. I was able to do that several times, However, once I logout or use the new password I am unable to use the old password and have to use the new one. The question is , Is this a feature. and from a security point of view wouldn't that be a vulnerability. If not is it documented any where. And last, was this issue addressed before. Kindest regards Ghazi Al Wadi
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 11:53:19 PDT