Changing your Microsoft or Azure account password might not secure your Windows PC from remote access as completely as you’d expect. A peculiar behavior within Windows’ Remote Desktop Protocol (RDP) – the technology allowing users to control a PC remotely – means that even after you’ve updated your credentials, an old, revoked password can often still be used to log into your machine remotely.
Microsoft acknowledges this behavior, as reported by Ars Technica, but frames it as an intentional design element, not a security vulnerability it plans to address.
The root of the issue lies in how Windows handles authentication for RDP sessions linked to Microsoft or Azure accounts. After successfully verifying credentials online the first time, Windows stores a cryptographically secured copy locally.
For many subsequent RDP login attempts, the system checks the entered password against this local cache. If it matches a previously valid, cached credential – even one that’s since been revoked online – access is granted, effectively sidestepping current password checks, multi-factor authentication prompts, and other cloud-based access policies.
A Question of Trust and Security
Independent security researcher Daniel Wade brought renewed attention to this functionality by reporting it to the Microsoft Security Response Center earlier in April. Wade highlighted that old passwords could remain functional indefinitely for RDP access, potentially even from entirely new devices connecting remotely, without generating any warnings from standard security software.
He characterized the situation starkly: “This Isn’t Just a Bug. It’s a Trust Breakdown.” Wade emphasized the universal expectation that a password change immediately invalidates the old credential. “People trust that changing their password will cut off unauthorized access… It’s the first thing anyone does after suspecting compromise,” he wrote, adding, “The result? Millions of users—at home, in small businesses, or hybrid work setups—are unknowingly at risk.”
He also noted instances where multiple older passwords might work while newer ones fail, adding to the unpredictability. Wade warned this creates a “silent, remote backdoor into any system where the password was ever cached.”
Microsoft’s Position and Response
Microsoft’s official explanation centers on usability during network outages. The company stated the local caching mechanism is “a design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” Because it views this as intended functionality, Microsoft informed Wade it does not meet the bar for a security vulnerability.
The company also revealed that the issue had been previously reported, stating, “We have determined that this is an issue that has already been reported to us by another researcher in August 2023, so this case is not eligible for a bounty award.” While a code change was initially considered, it was ultimately rejected due to concerns it “could break compatibility with functionality used by many applications.”
Expert Views and Limited Mitigation
Security professionals view this justification with concern. Will Dormann, a senior vulnerability analyst at Analygence, told Ars Technica, “It doesn’t make sense from a security perspective… If I’m a sysadmin, I’d expect that the moment I change the password of an account, then that account’s old credentials cannot be used anywhere. But this is not the case.”
The most cited risk involves scenarios where a Microsoft or Azure account password has been leaked or stolen; an attacker, though locked out of the online account after a password reset, might retain persistent RDP access to the user’s Windows machine using the old, compromised password.
Following Wade’s report, Microsoft updated its online documentation covering Windows logon scenarios. A new caution note was added: “When a user performs a local logon, their credentials are verified locally against a cached copy before being authenticated with an identity provider over the network… if the user changes their password in the cloud, the cached verifier is not updated, which means that they can still access their local machine using their old password.”
However, this update offers little practical guidance for users concerned about this specific risk vector. Dormann suggested the most direct mitigation currently available is to reconfigure RDP settings to authenticate using only traditional, locally managed Windows user accounts and passwords, thereby avoiding the Microsoft/Azure account integration and its associated caching behavior for RDP logins.
Understanding the Tools Involved
The password persistence issue affects remote connections established using the standard “Remote Desktop Connection” client, a utility integrated into Windows for decades. It is important not to confuse this built-in tool with the separate “Remote Desktop app” distributed via the Microsoft Store. As announced in March 2025, Microsoft is retiring that specific Store app on May 27, 2025, advising its users who connect to cloud services like Windows 365 or Azure Virtual Desktop to transition to the newer “Windows App.” This app retirement is separate from and does not alter the functionality or the password caching behavior of the traditional “Remote Desktop Connection” tool.
