diff --git a/src/core/auth/qgsauthmanager.cpp b/src/core/auth/qgsauthmanager.cpp
index 4696fc16bd8e..b6d1f3e627ff 100644
--- a/src/core/auth/qgsauthmanager.cpp
+++ b/src/core/auth/qgsauthmanager.cpp
@@ -200,6 +200,8 @@ bool QgsAuthManager::ensureInitialized() const
   return mLazyInitResult;
 }
 
+static char *sPassFileEnv = nullptr;
+
 bool QgsAuthManager::initPrivate( const QString &pluginPath )
 {
   if ( mAuthInit )
@@ -314,17 +316,11 @@ bool QgsAuthManager::initPrivate( const QString &pluginPath )
   initSslCaches();
 #endif
   // set the master password from first line of file defined by QGIS_AUTH_PASSWORD_FILE env variable
-  const char *passenv = "QGIS_AUTH_PASSWORD_FILE";
-  if ( getenv( passenv ) && masterPasswordHashInDatabase() )
+  if ( sPassFileEnv && masterPasswordHashInDatabase() )
   {
-    QString passpath( getenv( passenv ) );
-    // clear the env variable, so it can not be accessed from plugins, etc.
-    // (note: stored QgsApplication::systemEnvVars() skips this env variable as well)
-#ifdef Q_OS_WIN
-    putenv( passenv );
-#else
-    unsetenv( passenv );
-#endif
+    QString passpath( sPassFileEnv );
+    free( sPassFileEnv );
+    sPassFileEnv = nullptr;
 
     QString masterpass;
     QFile passfile( passpath );
@@ -368,6 +364,20 @@ void QgsAuthManager::setup( const QString &pluginPath, const QString &authDataba
 {
   mPluginPath = pluginPath;
   mAuthDatabaseConnectionUri = authDatabasePath;
+
+  const char *p = getenv( "QGIS_AUTH_PASSWORD_FILE" );
+  if ( p )
+  {
+    sPassFileEnv = qstrdup( p );
+
+    // clear the env variable, so it can not be accessed from plugins, etc.
+    // (note: stored QgsApplication::systemEnvVars() skips this env variable as well)
+#ifdef Q_OS_WIN
+    putenv( "QGIS_AUTH_PASSWORD_FILE" );
+#else
+    unsetenv( "QGIS_AUTH_PASSWORD_FILE" );
+#endif
+  }
 }
 
 bool QgsAuthManager::isDisabled() const