The password isn't written anywhere.

The file


stores program-wide settings (like connection type and tray icon), password is used to encrypt a key, which is used to encrypt your local cache and auth keys to the cloud.

When you enter a password Telegram Desktop tries to decrypt the key by it and if we was able to decrypt it — it is the correct password.

When one changes the password, we re-encrypt the key and everything is encrypted by a new password.

It is safe to give full access to your computer with a strong passworded Telegram Desktop only when one closed it. While it is running (even if locked) it has unencrypted keys in memory and it can be taken from RAM. It is done so that it can work and receive messages and show notifications while it is locked (notifies without sender name and message text, like in iOS / Android pushes when app is locked).