Are saved Remote Desktop credentials secure (loosely speaking) on the local machine? They aren’t stored as clear text anywhere at least, are they?
Edit: I understand the inherent risks of saving passwords. Certainly though there is a spectrum of effectiveness, for instance saving a password through something like
CryptProtectData(what Google Chrome uses on Win32) is obviously better than saving a password in clear text.
Solution:
Older versions of Remote Desktop client store the password in the .rdp file, which can easily be decrypted.
As of Remote Desktop Client v6, credentials are stored using Windows Credentials API. The passwords are securely encrypted using a key tied to your Windows user account (CryptProtectData as described in the SecurityXploded article @StackExchanger linked to), and accessing them requires your Windows password (or the “password recovery” disk). They can be read by any program you run, however, such as NetPass.
Note that if someone has physical access, they can crack the passwords using something like Ophcrack, or install a keylogger.