[lelio]

I don't think it is ... if you can get the hashed version of the password you can then crack it as they don't use any "salt" in the hash. So "xyzzy" will always hash to "wqrtw" whereas in the unix world you'll throw some other characters in the password before hashing it. That salt is included as plaintext in the hash.
That means that you only have to hash all the possible combinations of 8 letter words to get their full dictionary of possibilities. If they had salt in there (say numbers 0->255) you would have to have a list that's 255 times bigger. I'm not sure what the salt number range is in unix.
Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password.

[Ramius]

Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password.

Well, yes. But if I have people sniffing on my network I think I already have way bigger problems, don'tcha think?

[general_re]

if you can get the hashed version of the password you can then crack it as they don't use any "salt" in the hash.

That's sort of like giving flying instructions akin to "Step one: Once you're airborne..." - the problem is getting hold of the hashes in the first place.

Its my understanding that if you sniff the wire when login into a domain you might be able to get this hashed password.

Kerberos and IPsec will prevent that - assuming that the bad guy managed to "Mission:Impossible" himself into your building in the first place ;)

[RightOnline]

"they don't use any "salt" in the hash. So "xyzzy" will always hash to "wqrtw" whereas in the unix world you'll throw some other characters in the password before hashing it. That salt is included..."

More salt and hash here than in the greasy spoon up the street.