Legacy VNC passwords are stored in a reversible format. For RealVNC Server in Service Mode, these are kept in a secure Registry location (Windows) or the home directory of the root user (Mac/Linux). These locations are locked down to only allow read/write by members of the system's Administrators group.
To improve security against local Administrator-level attacks, we have changed the local storage mechanism of VNC Passwords to be a salted hash, meaning they can no longer be reversed to retrieve the original plaintext password. The salted hash is generated by applying 20000 rounds of PBKDF2 by default.
When setting a VNC Password using the RealVNC Server Options UI, the password will be stored as a salted hash when encryption is enabled. If encryption is disabled, or set to PreferOn or PreferOff, a "Legacy" checkbox is shown if you want to allow connections from legacy VNC Viewers. Note that when the "Legacy" option is enabled, RealVNC Server will only use the first 8 characters of the password. Use of the "Legacy" option is not recommended unless you have a specific requirement to use it.
A legacy VNC Viewer is defined as RealVNC VNC Viewer 4.1 or older, or a non-RealVNC VNC Viewer.
If upgrading from an older version of RealVNC Server to RealVNC Server 6.11.0, when RealVNC Server starts it will automatically convert all existing stored passwords with the new salted hash mechanism. Note, if encryption is disabled, or set to PreferOn or PreferOff, stored passwords will not be converted.