Re: XP Screen Saver password uses Old password until logout or New one is used.

From: Meritt James (meritt_james@bah.com)
Date: 04/30/02


Date: Tue, 30 Apr 2002 15:00:16 -0400
From: "Meritt James" <meritt_james@bah.com>
To: John Thornton <news@hackersdigest.com>

A minor trick that works on SOME systems is that if you call up the
process control popup via the keyboard, it appears on TOP of the
screensaver. You can then use it to kill the screensaver and then go to
it. This does NOT work on all implementations!

Jim

John Thornton wrote:
>
> There is no way this can be a feature. Take the following example. A
> computer retail store such as Staples use password protected screen savers
> to secure all of their computers. If they fired a disgruntle employee and
> change all of the passwords he can still come back (Or have someone come
> back for him) and do what ever he likes. Most retail stores do not shut the
> display computers off at night because it just add more to the list of
> things to do so, therefore the old password will always work.
>
> Not having access to a XP box I am curious to know if you change the
> password three times would the two old passwords work?
>
> -John Thornton
> Editor in Chief
> Hacker's Digest Magazine
> http://www.hackersdigest.com
>
> ----- Original Message -----
> From: Ghazi H. Al Wadi [NGHA-CTC]
> To: vuln-dev@securityfocus.com
> Sent: Monday, April 29, 2002 11:32 PM
> Subject: XP Screen Saver password uses Old password until logout or New one
> is used.
>
> Hi,
> Today I have as usual, changed my PC logon password (XP Home Edition). When
> the screen saver started, I dismissed it and by force of habit, I typed the
> old password. To my surprise I was able to unlock the screen saver using the
> old password.
> I was able to do that several times, However, once I logout or use the new
> password I am unable to use the old password and have to use the new one.
>
> The question is , Is this a feature. and from a security point of view
> wouldn't that be a vulnerability. If not is it documented any where. And
> last, was this issue addressed before.
>
> Kindest regards
> Ghazi Al Wadi

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566