Hi, the server does what it does because you have asked it to - ie it will log the password because you have asked it to - that is why there is a 'suppress' feature in the detail module, for example, so it is NOT logged. the server will print out everything it knows in full debug mode - because it is full debug mode. if the packet is PAP (as your logs show) then the password is passed in the clear within that tunnel...and so is shown. why? for debugging..... many many times the users list if filled with 'it doesnt work' and the password isnt what they are trying to use in the client (they are usually editing the wrong file) or its mangled - incorrect shared secret. if you want to make a local modification so that your server doesnt print this out, then simply look for the sections where this code is printed and print XXXXXXX instead.... but then expect many headaches when trying to diagnose issues - and as others have said, wtrong place to be paranoid...if someone has that level of access in the server then they can do anything - and be very aware of the day when someone helpfully updates your source code and blows away that local change. better to ensure the CONFIG is correct to stop the logging of passwords etc...and worry about server access security instead. alan