The passwords used in any of the authentication mechanisms used by this protocol have to be protected from access from over the network and from physical access. If the server does not support access control at the individual file level, but only at the file tree level, then password files can not be placed in a file tree that is accessible from the network, as all files in such a tree have to be at least equally readable.