Legacy VNC passwords are stored in a reversible format. For VNC Server in Service Mode, these are kept in a secure Registry location (Windows) or the home directory of the root user (Mac/Linux). These locations are locked down to only allow read/write by members of the system's Administrators group.
To improve security against local Administrator-level attacks, we are changing the local storage mechanism of VNC Passwords to be a salted hash, meaning they can no longer be reversed to retrieve the original plaintext password. The salted hash is generated by applying 20000 rounds of PBKDF2 by default.
After upgrading to VNC Server 6.11.0, when VNC Server starts it will automatically convert all existing stored passwords with the new salted hash mechanism. Note, if encryption is disabled, or set to PreferOn or PreferOff, stored passwords will not be converted.
When setting a VNC Password using the VNC Server Options UI, the password will be stored as a salted hash when encryption is enabled. If encryption is disabled, or set to PreferOn or PreferOff, a "Legacy" checkbox is shown if you want to allow connections from legacy VNC Viewers. Note that when the "Legacy" option is enabled, VNC Server will only use the first 8 characters of the password. Use of the "Legacy" option is not recommended unless you have a specific requirement to use it.
A legacy VNC Viewer is defined as RealVNC VNC Viewer 4.1 or older, or a non-RealVNC VNC Viewer.