I had an interesting discussion today I would like to share to see if anyone has seen this before.

It seems in "names.nsf" file on a Notes server, the password hashes of the users listed can be seen. This can be done in numerous ways:

- By looking at the names.nsf in a browser window
- By looking at the source of names.nsf in an editor
- By looking up the address book itself and creating a view with the HTTPPassword field
- By exporting idvidual users in Notes and viewing this in text form

This is disturbing to me in more ways than one. I do not know if this hash is "crackable", and frankly am a little scared to find out.

Has anyone seen this before? What have you done? What CAN be done?