AFAIK, its not really a security bug. Windows 98 didn't really have any concept of user security. With the default install you could always cancel out of the login dialog and use the guest account. Every account was an 'administrator'. The user name / pwd was mainly to store the OS customization settings like UI colors and such.

I believe hitting "cancel" was enough. https://www.youtube.com/watch?v=DE5PRW-AR7Q

Also reminds me of https://youtu.be/BVL8_ne4WZo?t=19s

from the only top-level comment on that video:

> That isn't a login screen for Windows 98, it's a login for Microsoft Networking (which the box shows). If you had any shared mapped drives, network privileges, etc they wouldn't work if you cancelled. If you had multiple profiles set up, you wouldn't get those either. Win98 wasn't intended to have password security.

Good point. Been a while. Windows 7 also has/had an interesting one https://www.youtube.com/watch?v=zwO4YqSc4XE but it's much more involved.

Did Windows98 even have administrator role? I mean FAT file systems don't even have file ownership right?

It did. But didn't have security tied to the fs.

Exactly my thoughts. I remember this, I think even early versions of WinXP had this feature.

Exactly early versions of Windows XP had this: They removed the Administrator user from their graphical login splash but when booted in rescue mode ("Safe mode") you could just type in "Administrator" with no password and were in. On Win98, you could just cancel the login.

it was a feature not a bug. something related to not DoSing yourself by forgetting your password /s