Microsoft has confirmed that Remote Desktop Protocol (RDP) on Windows can still accept old passwords — even if they've already been changed or revoked.
The company says this is by design and not a security flaw, leaving many users unknowingly exposed.
This affects millions of users — whether you're working from home, part of a small business, or in a hybrid work setup.
What's Actually Happening?
The issue comes down to how Windows saves and checks your password during remote logins.
When you sign in to a Windows computer through RDP using a Microsoft or Azure account, the system first checks your password online. Once verified, it stores a secure version of the password locally on the computer.
Next time you log in via RDP, Windows skips the online check. Instead, it compares your entered password to the one saved on the device. If it matches an older password that was once valid — even one that's since been changed or revoked — it lets you in.
In short: changing your Microsoft password doesn't stop old passwords from working for remote desktop access.
Sometimes, multiple old passwords still work, while your current one might not.
This setup also bypasses important protections like:
- Cloud password checks
- Multi-factor authentication (MFA)
- Conditional Access policies
Attackers with access to an old password could use RDP as a backdoor — without being blocked by newer security rules.
Microsoft's Response: "It's Not a Bug"
Despite the clear risks, Microsoft says this is not a vulnerability. They call it an intentional design choice meant to ensure at least one account can always log in — even if the PC has been offline.
The company updated its documentation to reflect the risk but hasn't offered clear steps to fix it. They suggest configuring RDP to only use local accounts — not cloud-connected ones.
A Microsoft spokesperson also confirmed the company has known about the issue since August 2023. They say fixing it would break compatibility with some older apps.
The cached credentials are stored in the Windows Local Security Authority Subsystem Service (LSASS) memory or under the Credential Manager using protected data structures, such as:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials%AppData%\Microsoft\Credentials
These cached credentials can survive password changes and persist until manually cleared or the machine is wiped.
How to Protect Yourself: Until Microsoft changes this behavior, here are some ways you can reduce your risk:
- Disable RDP if you don't need it.
- Use local accounts instead of Microsoft/Azure accounts for remote access.
- Block cached credentials:
- Group Policy:
Computer Configuration > Administrative Templates > System > Credentials Delegation
- Limit which users can access RDP.
- Use a VPN and firewall rules to control who can reach your remote desktop.
- Regularly clear cached credentials and audit login attempts.
- Consider third-party RDP gateways with stronger authentication policies.