Password as plain text in script

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
bhnuser
Posts: 42
Joined: Fri Apr 06, 2018 7:35 am

Password as plain text in script

Post by bhnuser » Tue May 21, 2019 2:32 am

Hello everybody,

i have a question about the password in a script. It should be a service user with high rights in the script deposited so that it is transparent to the end user. The script is exported to an executable file (.exe). My question is how can I implement it without a user can get to the password by decryption or similar?
Has someone made experience with it?

best regards

User avatar
Alexander Riedel
Posts: 7121
Joined: Tue May 29, 2007 4:43 pm

Re: Password as plain text in script

Post by Alexander Riedel » Tue May 21, 2019 4:17 am

Never, ever put passwords in plain text in a script. Even though the code inside the executable is encrypted, it is not a safe storage facility. It is only meant to obscure the code from static analysis and a casual user. The nature of PowerShell requires the code to exist as plain text at the time of execution, so there is a chance it can be captured or even logged by PowerShell's logging mechanisms.
Use secure strings to store sensitive information
https://docs.microsoft.com/en-us/powers ... rshell-5.1
Alexander Riedel
SAPIEN Technologies, Inc.

User avatar
bhnuser
Posts: 42
Joined: Fri Apr 06, 2018 7:35 am

Re: Password as plain text in script

Post by bhnuser » Tue May 21, 2019 11:58 pm

Thank you for your prompt reply.
The password I would not like to deposit in any case as plain text in my script. With ConvertTo .... I have already worked but I can not find a solution. I have the SecureString, but it can be easily decrypted by PowerShell. So I can not think of a 100% solution for my script. Maybe someone has already found a solution that does not cause 100% but can still be safe for a company?

jvierra
Posts: 14000
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Password as plain text in script

Post by jvierra » Wed May 22, 2019 7:19 am

There is no way to prevent a user from discovering a password that they must use. The user account must be able to decrypt any password that needs to be used. You can store the password encrypted to the user account in a file or the registry on a per-user basis. The code would then read the encrypted password, decrypt it, and use it. This encryption would have to be done on a per-account basis. The password would be visually hidden but anyone with access to the user account via a login can decrypt the password. This allows for a simple level of protection assuming the user protects their account. Admin passwords should never be stored anywhere using this method.

Locked