diff --git a/src/eap-ttls.c b/src/eap-ttls.c
index 6832af51..efd9604b 100644
--- a/src/eap-ttls.c
+++ b/src/eap-ttls.c
@@ -155,6 +155,7 @@ static uint8_t *avp_builder_free(struct avp_builder *builder, bool free_data,
 	uint8_t *ret;
 
 	if (free_data) {
+		explicit_bzero(builder->buf, builder->pos);
 		l_free(builder->buf);
 		builder->buf = NULL;
 	}
@@ -514,10 +515,12 @@ static bool eap_ttls_phase2_chap_init(struct eap_state *eap)
 	build_avp_user_name(builder, credentials->username);
 	build_avp_chap_challenge(builder, challenge);
 	build_avp_chap_password(builder, &ident, password_hash);
+	explicit_bzero(password_hash, sizeof(password_hash));
 
 	data = avp_builder_free(builder, false, &data_len);
 
 	eap_tls_common_tunnel_send(eap, data, data_len);
+	explicit_bzero(data, data_len);
 	l_free(data);
 
 	return true;
@@ -556,10 +559,12 @@ static bool eap_ttls_phase2_ms_chap_init(struct eap_state *eap)
 	mschap_nt_password_hash(credentials->password, password_hash);
 
 	build_avp_ms_chap_response(builder, &ident, challenge, password_hash);
+	explicit_bzero(password_hash, sizeof(password_hash));
 
 	data = avp_builder_free(builder, false, &data_len);
 
 	eap_tls_common_tunnel_send(eap, data, data_len);
+	explicit_bzero(data, data_len);
 	l_free(data);
 
 	return true;
@@ -664,6 +669,7 @@ static bool eap_ttls_phase2_mschapv2_handle_success(struct eap_state *eap,
 	uint8_t nt_response[MSCHAPV2_RESPONSE_LEN];
 	char nt_server_response[MSCHAPV2_SERVER_RESPONSE_LEN];
 	uint8_t password_hash_hash[16];
+	bool r;
 
 	if (len != CHAP_IDENT_LEN + MSCHAPV2_SERVER_RESPONSE_LEN) {
 		l_error("TTLS Tunneled MSCHAPv2: Server response has invalid "
@@ -688,12 +694,15 @@ static bool eap_ttls_phase2_mschapv2_handle_success(struct eap_state *eap,
 		goto error;
 	}
 
-	if (!mschapv2_generate_authenticator_response(
+	r = mschapv2_generate_authenticator_response(
 					password_hash_hash, nt_response,
 					mschapv2_state->peer_challenge,
 					mschapv2_state->server_challenge,
 					credentials->username,
-					nt_server_response)) {
+					nt_server_response);
+	explicit_bzero(password_hash_hash, sizeof(password_hash_hash));
+
+	if (!r) {
 		l_error("TTLS Tunneled-MSCHAPv2: Failed to generate server "
 								"response.");
 		goto error;
@@ -767,6 +776,7 @@ static bool eap_ttls_phase2_pap_init(struct eap_state *eap)
 	buf = avp_builder_free(builder, false, &buf_len);
 
 	eap_tls_common_tunnel_send(eap, buf, buf_len);
+	explicit_bzero(buf, buf_len);
 	l_free(buf);
 
 	return true;
@@ -909,6 +919,7 @@ static bool eap_ttls_tunnel_ready(struct eap_state *eap,
 								msk_emsk, 128);
 
 	eap_set_key_material(eap, msk_emsk + 0, 64, msk_emsk + 64, 64, NULL, 0);
+	explicit_bzero(msk_emsk, sizeof(msk_emsk));
 
 	if (phase2->ops->init)
 		return phase2->ops->init(eap);
@@ -1014,7 +1025,8 @@ static int eap_ttls_check_tunneled_auth_settings(struct l_settings *settings,
 					password_key, NULL, identity,
 					EAP_CACHE_TEMPORARY);
 		}
-	}
+	} else
+		explicit_bzero(password, strlen(password));
 
 	return 0;
 }