6

I assumed that a connection was needed in order to login with a live ID, but I discovered that windows 8 allows me to log in even without internet.

This is convenient as I wouldn't want to be locked out of my computer, but how does it work?
If it's storing a local password, isn't that a dangerous security-wise?

(thinking for instance of somebody logging in locally with a fake password after changing it on the HDD, writing a mail offline which would then be sent with my ID when I connect with my real password)

Razor
  • 1,340
  • 4
  • 16
  • 29
  • Your logging into your local account, which shares the same password, they wouldn't be able to use a fake invalid password. – Ramhound Nov 01 '12 at 12:27
  • 2
    If someone has physical access to the disk, there is nothing you can do to stop them, other than full-disk encryption. – SLaks Nov 01 '12 at 12:34

1 Answers1

4

Windows caches the password locally. This makes it possible to login without connection.
Would you be happy if Windows doesn't allow you to login and use your computer when you have no Wi-Fi connection?

It will deny login if the passwords do not match.

I guess it works similar to domain logons: if the domain controller is not available but the entered password matches the locally stored one, Windows allows logon. Even more, Windows does not contact the domain controller right away if the cached password matches, but it will validate the password on the domain if it doesn't, in case you changed it.

Of course, you have to be connected when you log in for the first time.

Alexey Ivanov
  • 4,349
  • 4
  • 26
  • 59
  • 2
    I'm also not sure how long the cache will last. I know that Active Directory will cache a password, but eventually must be reconnected to the domain. Though Live IDs are also obviously cached, I wouldn't rely on the cache lasting forever. – Tanis.7x Nov 01 '12 at 13:26
  • 1
    @Tanis.7x A quick search in Google suggests Active Directory password cache never expires. Although password itself is still the subject to password policies. So it makes me think the cached Microsoft Account password cache does not expire. Anyway in the current world, you're hardly disconnected for more than a couple of days. – Alexey Ivanov Nov 01 '12 at 21:26
  • Indeed, I don't envision being disconnected from the internet for any length of time to be an issue for most users. I'm thinking my organization might simply have a different policy in place for caching AD credentials. Thanks for the correction! – Tanis.7x Nov 01 '12 at 22:48