Re: XP Screen Saver password uses Old password until logout or New one is used.

From: Meritt James (meritt_james@bah.com)
Date: 04/30/02


Date: Tue, 30 Apr 2002 15:00:16 -0400
From: "Meritt James" <meritt_james@bah.com>
To: John Thornton <news@hackersdigest.com>

A minor trick that works on SOME systems is that if you call up the
process control popup via the keyboard, it appears on TOP of the
screensaver. You can then use it to kill the screensaver and then go to
it. This does NOT work on all implementations!

Jim

John Thornton wrote:
>
> There is no way this can be a feature. Take the following example. A
> computer retail store such as Staples use password protected screen savers
> to secure all of their computers. If they fired a disgruntle employee and
> change all of the passwords he can still come back (Or have someone come
> back for him) and do what ever he likes. Most retail stores do not shut the
> display computers off at night because it just add more to the list of
> things to do so, therefore the old password will always work.
>
> Not having access to a XP box I am curious to know if you change the
> password three times would the two old passwords work?
>
> -John Thornton
> Editor in Chief
> Hacker's Digest Magazine
> http://www.hackersdigest.com
>
> ----- Original Message -----
> From: Ghazi H. Al Wadi [NGHA-CTC]
> To: vuln-dev@securityfocus.com
> Sent: Monday, April 29, 2002 11:32 PM
> Subject: XP Screen Saver password uses Old password until logout or New one
> is used.
>
> Hi,
> Today I have as usual, changed my PC logon password (XP Home Edition). When
> the screen saver started, I dismissed it and by force of habit, I typed the
> old password. To my surprise I was able to unlock the screen saver using the
> old password.
> I was able to do that several times, However, once I logout or use the new
> password I am unable to use the old password and have to use the new one.
>
> The question is , Is this a feature. and from a security point of view
> wouldn't that be a vulnerability. If not is it documented any where. And
> last, was this issue addressed before.
>
> Kindest regards
> Ghazi Al Wadi

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566



Relevant Pages

  • Re: Love and Hate
    ... >> as active firewalls they would not be in standby ... >> The most I could do was to get it to go into screen saver mode. ... applied to obsolete computers. ... will find loving, caring, people who will welcome this piece of shit, er, ...
    (comp.lang.cobol)
  • Re: XP Setting
    ... Expand the Logon category in TweakUI, click on Screen Saver and adjust the Grace Period according to your personal preferences. ... and I then reactivate it, ... Auto login is set on all three computers but, despite this, on two of them the undesirable user selection screen appears when the monitor is reactivated. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Im having an issue with the "user group loopback processing mode"
    ... Rick schrieb: ... I have a AD group with only computers in it. ... The GPO security filter has "auth users & no screen saver group". ... "Authenticated Users" is a group that contains both Domain Users and Domain Computers. ...
    (microsoft.public.windows.group_policy)
  • Re: XP Screen Saver password uses Old password until logout or New one is used.
    ... >> to secure all of their computers. ... XP Screen Saver password uses Old password until logout or New one ... "I don't intend to offend, ...
    (Vuln-Dev)
  • Re: Screen Saver Policy only works when applied to Domain
    ... The environment is a W2K3 SP2 and ... OU1 computers are supposed to have a password protected screen saver. ... password is applied but when I login to the workstation, ...
    (microsoft.public.windows.server.active_directory)