but Microsoft considered this the norm
What do you think?
The Remote Desktop Protocol (RDP) in Windows allows you to log in using old, already changed passwords, and Microsoft calls it not a vulnerability, but part of the specification, Tweakers reports, citing research by security specialist Kevin Beaumont.
The problem is a Windows feature that stores up to 10 previous passwords as hashes — encrypted data used for authentication. Even after changing the password, the old hashes remain active for RDP logins.
Beaumont argues that this creates a potential “perpetual backdoor,” allowing attackers who know the old password to gain access to the system. Microsoft, however, insists that this is a deliberate decision for the convenience of users, and recommends disabling password caching or using two-factor authentication (2FA) to improve security. 2FA requires additional confirmation, such as a code from a phone, which supposedly reduces risks.
Experts note that the problem is relevant for organizations where employees may accidentally or intentionally disclose old passwords. Although Microsoft does not plan to eliminate this feature, companies can minimize threats by regularly updating security policies and disabling outdated protocols.Source: tweakers
