diff --git a/src/crypto.c b/src/crypto.c
index 59ce6835..da01cf6e 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -635,8 +635,8 @@ bool crypto_derive_pmk_r0(const uint8_t *xxkey,
 	r = true;
 
 exit:
-	memset(context, 0, pos);
-	memset(output, 0, 48);
+	explicit_bzero(context, pos);
+	explicit_bzero(output, 48);
 
 	return r;
 }
@@ -667,7 +667,7 @@ bool crypto_derive_pmk_r1(const uint8_t *pmk_r0,
 
 	sha256 = l_checksum_new(L_CHECKSUM_SHA256);
 	if (!sha256) {
-		memset(out_pmk_r1, 0, 32);
+		explicit_bzero(out_pmk_r1, 32);
 		goto exit;
 	}
 
@@ -679,7 +679,7 @@ bool crypto_derive_pmk_r1(const uint8_t *pmk_r0,
 	r = true;
 
 exit:
-	memset(context, 0, sizeof(context));
+	explicit_bzero(context, sizeof(context));
 
 	return r;
 }
@@ -714,7 +714,7 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name,
 
 	sha256 = l_checksum_new(L_CHECKSUM_SHA256);
 	if (!sha256) {
-		memset(out_ptk, 0, ptk_len);
+		explicit_bzero(out_ptk, ptk_len);
 		goto exit;
 	}
 
@@ -726,7 +726,7 @@ bool crypto_derive_ft_ptk(const uint8_t *pmk_r1, const uint8_t *pmk_r1_name,
 	r = true;
 
 exit:
-	memset(context, 0, sizeof(context));
+	explicit_bzero(context, sizeof(context));
 
 	return r;
 }
diff --git a/src/eap-mschapv2.c b/src/eap-mschapv2.c
index bb164544..17ee500b 100644
--- a/src/eap-mschapv2.c
+++ b/src/eap-mschapv2.c
@@ -194,9 +194,9 @@ static bool eap_mschapv2_reset_state(struct eap_state *eap)
 
 static void eap_mschapv2_state_free(struct eap_mschapv2_state *state)
 {
-	memset(state->password_hash, 0, sizeof(state->password_hash));
+	explicit_bzero(state->password_hash, sizeof(state->password_hash));
 
-	memset(state->user, 0, state->user_len);
+	explicit_bzero(state->user, state->user_len);
 	l_free(state->user);
 	state->user_len = 0;
 
diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index 3742ab18..5be7ea39 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -180,7 +180,8 @@ void eap_tls_common_state_free(struct eap_state *eap)
 	l_free(eap_tls->client_key);
 
 	if (eap_tls->passphrase) {
-		memset(eap_tls->passphrase, 0, strlen(eap_tls->passphrase));
+		explicit_bzero(eap_tls->passphrase,
+				strlen(eap_tls->passphrase));
 		l_free(eap_tls->passphrase);
 	}
 
diff --git a/src/eap-ttls.c b/src/eap-ttls.c
index efd9604b..81245c1d 100644
--- a/src/eap-ttls.c
+++ b/src/eap-ttls.c
@@ -430,7 +430,8 @@ static void eap_ttls_phase2_credentials_destroy(
 		return;
 
 	if (credentials->password)
-		memset(credentials->password, 0, strlen(credentials->password));
+		explicit_bzero(credentials->password,
+				strlen(credentials->password));
 
 	l_free(credentials->username);
 	l_free(credentials->password);
@@ -587,10 +588,10 @@ static void mschapv2_state_destroy(struct phase2_method *phase2)
 	if (!state)
 		return;
 
-	memset(state->server_challenge, 0, MSCHAPV2_CHALLENGE_LEN +
+	explicit_bzero(state->server_challenge, MSCHAPV2_CHALLENGE_LEN +
 							CHAP_IDENT_LEN);
-	memset(state->peer_challenge, 0, MSCHAPV2_CHALLENGE_LEN);
-	memset(state->password_hash, 0, 16);
+	explicit_bzero(state->peer_challenge, MSCHAPV2_CHALLENGE_LEN);
+	explicit_bzero(state->password_hash, 16);
 
 	l_free(state);
 	phase2->state = NULL;
diff --git a/src/eap.c b/src/eap.c
index 83923cc7..e4081b79 100644
--- a/src/eap.c
+++ b/src/eap.c
@@ -404,12 +404,17 @@ void eap_secret_info_free(void *data)
 		return;
 
 	if (info->value) {
-		memset(info->value, 0, strlen(info->value));
+		size_t value_len = strlen(info->value) + 1;
+
+		if (info->type == EAP_SECRET_REMOTE_USER_PASSWORD)
+			value_len += strlen(info->value + value_len);
+
+		explicit_bzero(info->value, value_len);
 		l_free(info->value);
 	}
 
 	if (info->parameter) {
-		memset(info->parameter, 0, strlen(info->parameter));
+		explicit_bzero(info->parameter, strlen(info->parameter));
 		l_free(info->parameter);
 	}