I haven't seen that one work since the NT3.51 days and early (pre SP3) NT 4.0 installations. On Tue, 30 Apr 2002, Meritt James wrote: > Date: Tue, 30 Apr 2002 15:00:16 -0400 > From: Meritt James <meritt_jamesat_private> > To: John Thornton <newsat_private> > Cc: "Ghazi H. Al Wadi [NGHA-CTC]" <wadigat_private>, > vuln-devat_private > Subject: Re: XP Screen Saver password uses Old password until logout or > New one is used. > > A minor trick that works on SOME systems is that if you call up the > process control popup via the keyboard, it appears on TOP of the > screensaver. You can then use it to kill the screensaver and then go to > it. This does NOT work on all implementations! > > Jim > > John Thornton wrote: > > > > There is no way this can be a feature. Take the following example. A > > computer retail store such as Staples use password protected screen savers > > to secure all of their computers. If they fired a disgruntle employee and > > change all of the passwords he can still come back (Or have someone come > > back for him) and do what ever he likes. Most retail stores do not shut the > > display computers off at night because it just add more to the list of > > things to do so, therefore the old password will always work. > > > > Not having access to a XP box I am curious to know if you change the > > password three times would the two old passwords work? > > > > -John Thornton > > Editor in Chief > > Hacker's Digest Magazine > > http://www.hackersdigest.com > > > > ----- Original Message ----- > > From: Ghazi H. Al Wadi [NGHA-CTC] > > To: vuln-devat_private > > Sent: Monday, April 29, 2002 11:32 PM > > Subject: XP Screen Saver password uses Old password until logout or New one > > is used. > > > > Hi, > > Today I have as usual, changed my PC logon password (XP Home Edition). When > > the screen saver started, I dismissed it and by force of habit, I typed the > > old password. To my surprise I was able to unlock the screen saver using the > > old password. > > I was able to do that several times, However, once I logout or use the new > > password I am unable to use the old password and have to use the new one. > > > > The question is , Is this a feature. and from a security point of view > > wouldn't that be a vulnerability. If not is it documented any where. And > > last, was this issue addressed before. > > > > Kindest regards > > Ghazi Al Wadi > > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbakat_private http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 19:31:13 PDT