Password Appraiser contains a flaw that exposes every internal Windows NT password to the Internet, regardless of the presence of a firewall. The issue is due to PA sending the encrypted NT passwords to a remote host on the Quackenbush network. If the encrypted password matches an entry in their dictionary, the unencrypted password is returned to the PA client. Any attacker that has set up a sniffer between the client and Quackenbush server can obtain these passwords.
Currently, there are no known upgrades, patches, or workarounds available to
correct this issue.