Re: XP Screen Saver password uses Old password until logout or New one is used.

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: 04/30/02


Date: Tue, 30 Apr 2002 13:18:01 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: "Ghazi H. Al Wadi [NGHA-CTC]" <wadig@ngha.med.sa>, vuln-dev@securityfocus.com

Is'nt that the case with all win* since long time?
Well the password is cached, that's why it verifies from cache, where it should verify it from the actual password location. Lack of routine addition in all screensavers I guess. Remember flushing cached Passwords in win* , HEH! =)

P.S. It's not a feature, untill its discovered by Microsoft.

Regards,
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-021-4548323, 92-021-4546077

"Great is the Art of beginning, but Greater is the Art of ending. "

------BEGIN GEEK CODE BLOCK----
Version: 3.1
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y-
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
------END GEEK CODE BLOCK------

--- "Ghazi H. Al Wadi [NGHA-CTC]" <wadig@ngha.med.sa> wrote:
>Hi,
>Today I have as usual, changed my PC logon password (XP Home Edition). When
>the screen saver started, I dismissed it and by force of habit, I typed the
>old password. To my surprise I was able to unlock the screen saver using the
>old password.
>I was able to do that several times, However, once I logout or use the new
>password I am unable to use the old password and have to use the new one.
>
>The question is , Is this a feature. and from a security point of view
>wouldn't that be a vulnerability. If not is it documented any where. And
>last, was this issue addressed before.
>
>Kindest regards
>Ghazi Al Wadi

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Run a small business? Then you need professional email like you@yourbiz.com from Everyone.net http://www.everyone.net?tag