There were no answers to this question, so thought I'd post one here...
I enabled "use Authorization" in Menu > Games/Plugins > Webinterface. The web interface immediately presented me with an authentication popup, asking for username and password. The old user/pass combinations that can be found on the Dream Multimedia boards (root/password and root/dreambox) didn't work.
So I telnetted to the box as "root" - no password required.
Then I set the root password using the "passwd" command, as for any *NIX box. Once I did that the web interface, telnet and FTP all correctly required my new password to login.
If you have any Internet connectivity on your Dreambox, ensure you enable authorisation and set a decent password. Otherwise your Dreambox will eventually be shagged one way or another.
Rather disturbingly, I was able to connect to the machine via SMB/CIFS as a guest (no auth) and had full access (write permissions) to the Configuration and Harddisk shares. The Configuration share is the whole /var/log/ directory - one of the few places wide-open guest access is desirable (/etc/ probably being the last). You could edit /etc/samba/smb.conf to fix this, but I don't know what impact that would have.