Did it in a couple of stores... Worked there. There is a real tendency not to keep demo stock up-to-date. Jim hellNbak wrote: > > I haven't seen that one work since the NT3.51 days and early (pre SP3) NT > 4.0 installations. > > On Tue, 30 Apr 2002, Meritt James wrote: > > > Date: Tue, 30 Apr 2002 15:00:16 -0400 > > From: Meritt James <meritt_jamesat_private> > > To: John Thornton <newsat_private> > > Cc: "Ghazi H. Al Wadi [NGHA-CTC]" <wadigat_private>, > > vuln-devat_private > > Subject: Re: XP Screen Saver password uses Old password until logout or > > New one is used. > > > > A minor trick that works on SOME systems is that if you call up the > > process control popup via the keyboard, it appears on TOP of the > > screensaver. You can then use it to kill the screensaver and then go to > > it. This does NOT work on all implementations! > > > > Jim > > > > John Thornton wrote: > > > > > > There is no way this can be a feature. Take the following example. A > > > computer retail store such as Staples use password protected screen savers > > > to secure all of their computers. If they fired a disgruntle employee and > > > change all of the passwords he can still come back (Or have someone come > > > back for him) and do what ever he likes. Most retail stores do not shut the > > > display computers off at night because it just add more to the list of > > > things to do so, therefore the old password will always work. > > > > > > Not having access to a XP box I am curious to know if you change the > > > password three times would the two old passwords work? > > > > > > -John Thornton > > > Editor in Chief > > > Hacker's Digest Magazine > > > http://www.hackersdigest.com > > > > > > ----- Original Message ----- > > > From: Ghazi H. Al Wadi [NGHA-CTC] > > > To: vuln-devat_private > > > Sent: Monday, April 29, 2002 11:32 PM > > > Subject: XP Screen Saver password uses Old password until logout or New one > > > is used. > > > > > > Hi, > > > Today I have as usual, changed my PC logon password (XP Home Edition). When > > > the screen saver started, I dismissed it and by force of habit, I typed the > > > old password. To my surprise I was able to unlock the screen saver using the > > > old password. > > > I was able to do that several times, However, once I logout or use the new > > > password I am unable to use the old password and have to use the new one. > > > > > > The question is , Is this a feature. and from a security point of view > > > wouldn't that be a vulnerability. If not is it documented any where. And > > > last, was this issue addressed before. > > > > > > Kindest regards > > > Ghazi Al Wadi > > > > > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > "I don't intend to offend, I offend with my intent" > > hellNbakat_private > http://www.nmrc.org/~hellnbak > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 19:36:50 PDT