On Mon, May 6, 2013 at 7:06 PM, mike smith <[email protected]> wrote:
> It'd be storing the hashed user/pw that gets sent off for authentication, > or it should. Then when you change your pw on the domain, the hash no > longer works. Insecure if anyone else touches your computer, and you can't > make that assumption in a work environment? > See my next post on the thread. DSAPI is the issue - or rather - whoever designed it didn't consider that your password might get changed at places other than on your local PC. Fail. David.
