Microsoft has confirmed that its Remote Desktop Protocol (RDP) allows users to log in with revoked passwords, a design choice intended to prevent user lockouts. This controversial decision means that even after changing a password, access can still be granted, leaving millions of users vulnerable without clear guidance or detection methods from Microsoft.