How to handle Passwords Securely in PowerShell

Secure strings should be used.

These user scenarios should be done securely:

  1. Get password from user securely
  2. Store password securely
  3. Retrieve password securely

Get password from user securely

You can use Get-Credential or Get-Credential-User (that accepts a text as a an argument, in case you want to add a custom message to the credential prompts)

$credential = Get-Credential

The object PSCrendential has an attribute called “Password”, that is of type SecureString.

If we have a plain text string and want to convert it to a SecureString you can use the command ConvertTo-SecureString.

ConvertFrom-SecureString is based on the Windows Data Protection API (DPAPI). The encrypted SecureString can only be decrypted in the computer where it was used.

You can read more about ConvertTo-SecureString on this external link.

Store password securely

The password string needs to be converted to a SecureString.

$securePassword = $credential.Password | ConvertFrom-SecureString $securePassowrd

$securePassword | ConvertFrom-SecureString | Out-File "C:\Path\To\My\SecurePassword.txt"

You could also use a key management system, like a credential vault, password manager or HSM.

Retrieve password securely

The GetNetworkCredential command is used.

$password = GetNetworkCredential().password

If we have a SecureString and want to convert it to plain text string you can with the command ConvertTo-SecureString.

You might also be interested in…

External References

Leave a Reply

Your email address will not be published. Required fields are marked *