diff --git a/src/pam/afs_auth.c b/src/pam/afs_auth.c
index 502f2c8b02..632ace525d 100644
--- a/src/pam/afs_auth.c
+++ b/src/pam/afs_auth.c
@@ -61,7 +61,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
     int got_authtok = 0;	/* got PAM_AUTHTOK upon entry */
     PAM_CONST char *user = NULL, *password = NULL;
     afs_int32 password_expires = -1;
-    int torch_password = 1;
+    char *torch_password = NULL;
     int i;
     PAM_CONST struct pam_conv *pam_convp = NULL;
     int auth_ok;
@@ -209,13 +209,11 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
 	    pam_afs_syslog(LOG_DEBUG, PAMAFS_NOFIRSTPASS, user);
     } else if (password[0] == '\0') {
 	/* Actually we *did* get one but it was empty. */
-	torch_password = 0;
 	pam_afs_syslog(LOG_INFO, PAMAFS_NILPASSWORD, user);
 	RET(PAM_NEW_AUTHTOK_REQD);
     } else {
 	if (logmask && LOG_MASK(LOG_DEBUG))
 	    pam_afs_syslog(LOG_DEBUG, PAMAFS_GOTPASS, user);
-	torch_password = 0;
 	got_authtok = 1;
     }
     if (!(use_first_pass || try_first_pass)) {
@@ -226,8 +224,6 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
     if (password == NULL) {
 	char *prompt_password;
 
-	torch_password = 1;
-
 	if (use_first_pass)
 	    RET(PAM_AUTH_ERR);	/* shouldn't happen */
 	if (try_first_pass)
@@ -260,7 +256,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
 	my_password_buf[sizeof(my_password_buf) - 1] = '\0';
 	memset(prompt_password, 0, strlen(prompt_password));
 	free(prompt_password);
-	password = my_password_buf;
+	password = torch_password = my_password_buf;
 
     }
 
@@ -402,7 +398,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
      * after pam_afs
      */
     if (!got_authtok) {
-	torch_password = 0;
+	torch_password = NULL;
 	(void)pam_set_item(pamh, PAM_AUTHTOK, password);
     }
 
@@ -418,7 +414,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
 	char *tmp = strdup(password);
 	(void)pam_set_data(pamh, pam_afs_lh, tmp, lc_cleanup);
 	if (torch_password)
-	    memset((char *)password, 0, strlen(password));
+	    memset(torch_password, 0, strlen(torch_password));
     }
     (void)setlogmask(origmask);
 #ifndef AFS_SUN56_ENV
diff --git a/src/pam/afs_password.c b/src/pam/afs_password.c
index d5372e9c67..1fca348056 100644
--- a/src/pam/afs_password.c
+++ b/src/pam/afs_password.c
@@ -43,7 +43,7 @@ pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv)
     int try_first_pass = 0;
     int ignore_root = 0;
     int got_authtok = 0;	/* got PAM_AUTHTOK upon entry */
-    int torch_password = 1;
+    char *torch_password = NULL;
     int i;
     char my_password_buf[256];
     char instance[256];
@@ -154,13 +154,11 @@ pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	    pam_afs_syslog(LOG_DEBUG, PAMAFS_NOFIRSTPASS, user);
     } else if (password[0] == '\0') {
 	/* Actually we *did* get one but it was empty. */
-	torch_password = 0;
 	pam_afs_syslog(LOG_INFO, PAMAFS_NILPASSWORD, user);
 	RET(PAM_NEW_AUTHTOK_REQD);
     } else {
 	if (logmask && LOG_MASK(LOG_DEBUG))
 	    pam_afs_syslog(LOG_DEBUG, PAMAFS_GOTPASS, user);
-	torch_password = 0;
 	got_authtok = 1;
     }
     if (!(use_first_pass || try_first_pass)) {
@@ -169,7 +167,6 @@ pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv)
 
     if (password == NULL) {
 	char *prompt_password;
-	torch_password = 1;
 	if (use_first_pass)
 	    RET(PAM_AUTH_ERR);	/* shouldn't happen */
 	if (try_first_pass)
@@ -200,7 +197,7 @@ pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	my_password_buf[sizeof(my_password_buf) - 1] = '\0';
 	memset(prompt_password, 0, strlen(password));
 	free(prompt_password);
-	password = my_password_buf;
+	password = torch_password = my_password_buf;
     }
 
     if ((code = ka_VerifyUserPassword(KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, (char *)user,	/* kerberos name */
@@ -212,7 +209,7 @@ pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED, user, reason);
 	RET(PAM_AUTH_ERR);
     }
-    torch_password = 0;
+    torch_password = NULL;
     pam_set_item(pamh, PAM_AUTHTOK, password);
     pam_set_item(pamh, PAM_OLDAUTHTOK, password);
     if (flags & PAM_PRELIM_CHECK) {
@@ -305,7 +302,7 @@ pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc, const char **argv)
 
   out:
     if (password && torch_password) {
-	memset((char *)password, 0, strlen(password));
+	memset(torch_password, 0, strlen(torch_password));
     }
     (void)setlogmask(origmask);
 #ifndef AFS_SUN56_ENV
diff --git a/src/pam/afs_setcred.c b/src/pam/afs_setcred.c
index ec8398f769..1bc22290e4 100644
--- a/src/pam/afs_setcred.c
+++ b/src/pam/afs_setcred.c
@@ -55,7 +55,7 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
     char my_password_buf[256];
     char *cell_ptr = NULL;
     char sbuffer[100];
-    int torch_password = 1;
+    char *torch_password = NULL;
     int auth_ok = 0;
     char *lh;
     PAM_CONST char *user = NULL;
@@ -207,7 +207,6 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	} else if (password[0] == '\0') {
 	    /* Actually we *did* get one but it was empty. */
 	    got_authtok = 1;
-	    torch_password = 0;
 	    /* So don't use it. */
 	    password = NULL;
 	    if (use_first_pass) {
@@ -219,7 +218,6 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	} else {
 	    if (logmask && LOG_MASK(LOG_DEBUG))
 		pam_afs_syslog(LOG_DEBUG, PAMAFS_GOTPASS, user);
-	    torch_password = 0;
 	    got_authtok = 1;
 	}
 	if (!(use_first_pass || try_first_pass)) {
@@ -230,8 +228,6 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	if (password == NULL) {
 	    char *prompt_password;
 
-	    torch_password = 1;
-
 	    if (use_first_pass)
 		RET(PAM_AUTH_ERR);	/* shouldn't happen */
 	    if (try_first_pass)
@@ -265,7 +261,7 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 	    my_password_buf[sizeof(my_password_buf) - 1] = '\0';
 	    memset(prompt_password, 0, strlen(prompt_password));
 	    free(prompt_password);
-	    password = my_password_buf;
+	    password = torch_password = my_password_buf;
 	}
 	/*
 	 * We only set a PAG here, if we haven't got one before in
@@ -327,7 +323,7 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 
 	/* pam_sm_authenticate should have set this
 	 * if (auth_ok && !got_authtok) {
-	 *     torch_password = 0;
+	 *     torch_password = NULL;
 	 *     (void) pam_set_item(pamh, PAM_AUTHTOK, password);
 	 * }
 	 */
@@ -359,7 +355,7 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
 
   out:
     if (password && torch_password)
-	memset((char*)password, 0, strlen(password));
+	memset(torch_password, 0, strlen(torch_password));
     (void)setlogmask(origmask);
 #ifndef AFS_SUN56_ENV
     closelog();