The standard role-separation mechanism in Windows for a local administrator is to have a single account, but protect it using UAC, and configure it for Always Notify if increased security is desired. Unfortunately, this mechanism perpetually is vulnerable to bypasses. See Microsoft said UAC is not a security barrier. But in what cases?
To prevent the bypasses, a more secure strategy is to have two separate user accounts, one admin and one non-admin, for the user. Then there's no UAC bypass, except for occasional privilege escalation vulnerabilities (much more rare than intra-account UAC bypasses) found in Windows.
Unfortunately, that more secure strategy is also more of a hassle, because the user must enter a password every time he gets an elevation prompt, instead of just clicking a button. So my idea is this: have both the admin and the non-admin account share the same password. When the admin account password-entry prompt is displayed, if the user just clicks OK with a blank password, Windows should first try using the (already logged in, of course) non-admin account's password by default.
Of course, you can already create two accounts with the same password. The change I'm proposing is an enhancement to the elevation mechanism, to optimistically assume that you did use the same password for both accounts.
It seems this would combine the UX convenience of a single account (just click a button to elevate) with the security of separate accounts. My question is: is that actually true? If not, what did I miss? E.g. the kind of answer I'm looking for is: Your idea is broken because... (insert my logic error here).
As an additional benefit over the standard strategy of separate accounts with separate passwords, my idea would prevent password phishing by non-elevated malware, since the user is conditioned to just click a button, not enter his password in elevation prompts.
