Well, EA does not look into them when using AD. You can probably regard them as garbage then? Or are you afraid of hacking? In that case sit back. The hacker door is open as wide as could be since any EA user has full access to the whole database with no restrictions.
q.
The concern is legitimate. If EA would store the password (like it did in the past with an unsalted hash) you could have a security issue on your hand.
A lot of users re-use password.
If I were to get my hand on a list of users and their passwords, I could try those passwords on their gmail, facebook, etc... accounts.
The fact that the model can be accessed fairly easily is not really my concern. The model doesn't contain any secrets anyway.
But anyway, since a user that is imported from AD never enters his password in EA, there is no way EA can register the actual password (in a hashed form or otherwise)
I'm not sure what is actually stored in that field.
For AD users it might be the password hash from AD (although I doubt that, I don't think that is actually possible), but more likely it's another kind of hash, or just rubbish.
For regular, non AD users, it's definitely a hashed password, but I believe in recent versions it's at least salted (users with the same password have a different hash)
No idea about the actual hashing algorithm used and whether or not that is a secure algorithm fro hashing passwords.
The main security risk here is not allowing access to EA's model (that can be controlled on the database level), but exposing users passwords.
By using AD users you don't have that risk anymore.
Geert
