Vulnerability Development mailing list archives
Re: XP Screen Saver password uses Old password until logout or New one is used.
From: hellNbak <hellnbak () nmrc org>
Date: Tue, 30 Apr 2002 16:46:10 -0400 (EDT)
I haven't seen that one work since the NT3.51 days and early (pre SP3) NT 4.0 installations. On Tue, 30 Apr 2002, Meritt James wrote:
Date: Tue, 30 Apr 2002 15:00:16 -0400 From: Meritt James <meritt_james () bah com> To: John Thornton <news () hackersdigest com> Cc: "Ghazi H. Al Wadi [NGHA-CTC]" <wadig () ngha med sa>, vuln-dev () securityfocus com Subject: Re: XP Screen Saver password uses Old password until logout or New one is used. A minor trick that works on SOME systems is that if you call up the process control popup via the keyboard, it appears on TOP of the screensaver. You can then use it to kill the screensaver and then go to it. This does NOT work on all implementations! Jim John Thornton wrote:There is no way this can be a feature. Take the following example. A computer retail store such as Staples use password protected screen savers to secure all of their computers. If they fired a disgruntle employee and change all of the passwords he can still come back (Or have someone come back for him) and do what ever he likes. Most retail stores do not shut the display computers off at night because it just add more to the list of things to do so, therefore the old password will always work. Not having access to a XP box I am curious to know if you change the password three times would the two old passwords work? -John Thornton Editor in Chief Hacker's Digest Magazine http://www.hackersdigest.com ----- Original Message ----- From: Ghazi H. Al Wadi [NGHA-CTC] To: vuln-dev () securityfocus com Sent: Monday, April 29, 2002 11:32 PM Subject: XP Screen Saver password uses Old password until logout or New one is used. Hi, Today I have as usual, changed my PC logon password (XP Home Edition). When the screen saver started, I dismissed it and by force of habit, I typed the old password. To my surprise I was able to unlock the screen saver using the old password. I was able to do that several times, However, once I logout or use the new password I am unable to use the old password and have to use the new one. The question is , Is this a feature. and from a security point of view wouldn't that be a vulnerability. If not is it documented any where. And last, was this issue addressed before. Kindest regards Ghazi Al Wadi
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- Re: XP Screen Saver password uses Old password until logout or New one is used. hellNbak (Apr 30)
- Re: XP Screen Saver password uses Old password until logout or Newone is used. Meritt James (Apr 30)