The Prognosis Client / GUI / thick client authentication is fully encrypted across the wire to the server process irnetrtr. The credentials pass through via an API to the underlying operating system for authentication so it is not stored anywhere in memory or on disk. Hence why we login into the Prognosis Client using a pre-existing Windows account (or Unix or HP NonStop account ).

The Web UI / Web interface authentication goes over the wire via a standard IIS HTTPS connection (HTTPS is encrypted of course) and a Prognosis process irpqlsrv needs to keep track by storing 'login tokens' in memory to avoid storing credentials anywhere.

Note that in addition to encrypted credentials, the Prognosis 11.0 and later versions has FIPS compliant encryption over the Client-to-Server connection. See Online Help for details:
User Interfaces > Windows Client > Server Logon > Server Logon

HTH