Secure strings should be used.
These user scenarios should be done securely:
- Get password from user securely
- Store password securely
- Retrieve password securely
Get password from user securely
You can use Get-Credential or Get-Credential-User (that accepts a text as a an argument, in case you want to add a custom message to the credential prompts)
$credential = Get-CredentialThe object PSCrendential has an attribute called “Password”, that is of type SecureString.
If we have a plain text string and want to convert it to a SecureString you can use the command ConvertTo-SecureString.
ConvertFrom-SecureString is based on the Windows Data Protection API (DPAPI). The encrypted SecureString can only be decrypted in the computer where it was used.
You can read more about ConvertTo-SecureString on this external link.
Store password securely
The password string needs to be converted to a SecureString.
$securePassword = $credential.Password | ConvertFrom-SecureString $securePassowrd
$securePassword | ConvertFrom-SecureString | Out-File "C:\Path\To\My\SecurePassword.txt"You could also use a key management system, like a credential vault, password manager or HSM.
Retrieve password securely
The GetNetworkCredential command is used.
$password = GetNetworkCredential().passwordIf we have a SecureString and want to convert it to plain text string you can with the command ConvertTo-SecureString.