Password as plain text in script

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 4 years and 10 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
bhnuser
Posts: 48
Last visit: Tue Nov 21, 2023 10:33 pm

Password as plain text in script

Post by bhnuser »

Hello everybody,

i have a question about the password in a script. It should be a service user with high rights in the script deposited so that it is transparent to the end user. The script is exported to an executable file (.exe). My question is how can I implement it without a user can get to the password by decryption or similar?
Has someone made experience with it?

best regards
User avatar
Alexander Riedel
Posts: 8478
Last visit: Tue Mar 26, 2024 8:52 am
Answers: 19
Been upvoted: 37 times

Re: Password as plain text in script

Post by Alexander Riedel »

Never, ever put passwords in plain text in a script. Even though the code inside the executable is encrypted, it is not a safe storage facility. It is only meant to obscure the code from static analysis and a casual user. The nature of PowerShell requires the code to exist as plain text at the time of execution, so there is a chance it can be captured or even logged by PowerShell's logging mechanisms.
Use secure strings to store sensitive information
https://docs.microsoft.com/en-us/powers ... rshell-5.1
Alexander Riedel
SAPIEN Technologies, Inc.
User avatar
bhnuser
Posts: 48
Last visit: Tue Nov 21, 2023 10:33 pm

Re: Password as plain text in script

Post by bhnuser »

Thank you for your prompt reply.
The password I would not like to deposit in any case as plain text in my script. With ConvertTo .... I have already worked but I can not find a solution. I have the SecureString, but it can be easily decrypted by PowerShell. So I can not think of a 100% solution for my script. Maybe someone has already found a solution that does not cause 100% but can still be safe for a company?
jvierra
Posts: 15439
Last visit: Tue Nov 21, 2023 6:37 pm
Answers: 30
Has voted: 4 times
Been upvoted: 33 times

Re: Password as plain text in script

Post by jvierra »

There is no way to prevent a user from discovering a password that they must use. The user account must be able to decrypt any password that needs to be used. You can store the password encrypted to the user account in a file or the registry on a per-user basis. The code would then read the encrypted password, decrypt it, and use it. This encryption would have to be done on a per-account basis. The password would be visually hidden but anyone with access to the user account via a login can decrypt the password. This allows for a simple level of protection assuming the user protects their account. Admin passwords should never be stored anywhere using this method.
This topic is 4 years and 10 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked