Blank Password Avoids Change/Uniqueness Protections

• Microsoft Windows NT operating system version 3.1
• Microsoft Windows NT Advanced Server version 3.1

SYMPTOMS

If the administrator creates a new account but doesn't enter a password, the "User Must Change Password at Next Logon" check box doesn't seem to work: when you next logon, Windows NT asks for a new password but will accept a blank password.

CAUSE

Even when a password history is in effect, you can still change your password from a blank password to a blank password. The password uniqueness setting should not allow this.

Blank passwords are not stored in the password history, so you can change your password to a blank password at any time -- even if you used a blank password more recently than the password uniqueness setting is supposed to allow.

Steps to Reproduce Behavior

1. Create a new user without entering a password.

2. Choose User Must Change Password.

3. Logon as that user. You are asked to enter a new password.

4. At the prompt to enter a new password, choose OK.