>This is interesting. How does you check, if you don't mind me asking, to see if the password is correct?

I use a method documented in MSDN Q180548. Basically, it tries to logon the user with the given password and, if successful...

BTW, as far as I remember, the code in that article has several bugs. Anyway, there's the basic idea.

>Since this can be done programmatically, it would, theoretically, seem to be a possible security problem since you could write routines to construct and cycle thru passwords until it found a match. Correct?

Yes and no. Basically, in NT, it's impossible to check a password without a logon. Since the number of failed logons can be limited (using the User Manager program), the number of tries to guess a password can be limited. So, there's not much danger here.

It's worth noticing that any serious OS must allow user impersonation (is there such a word in English?), thus, it must expose a method to programatically logon a user. So, any good system admin should limit the number of failed logons in order to protect the system against password "guessing".

Vlad