Teamprise client applications can remember authentication credentials so the user does not have to type them every time the application connects to a Team Foundation Server. These credentials are saved in connection profiles when a profile is created or edited, and in the workspace cache if the user enabled cached credential saving (a check-box in the graphical applications, an environment variable for the command-line client). The profile and workspace caches are stored as XML files on disk which can be easily inspected.
When credentials are saved to these files, passwords are always encrypted. The username and domain name are not encrypted. The same encryption process is used for all passwords (TFS login credentials, HTTP proxy credentials, etc.) in all Teamprise clients.
Encryption is done using the Triple DES algorithm (specificially DESede), a symmetric-key block cipher. Teamprise programs load and use the DESede cipher from the Java run-time environment, it is not re-implemented in the Teamprise program code.
The key used for encryption (and decryption) of the passwords is built into the Teamprise products.
Although the DES cipher is still considered strong, the use of a single key built into all of the Teamprise products limits the overall security of the encrypted information. Customers who require a higher level of security are encouraged to use integrated Active Directory authentication on Windows, Kerberos authentication on supported platforms, or turn off password saving (and remove passwords from saved profiles).
The cipher used to encrypt passwords does not impose any limitations on the size or content of the encrypted data. Passwords stored in profiles and the workspace cache can be any length.