How to handle PowerShell Secure Strings

Question

How do I properly enter and store a secure password? I am needing to Convert it from Secure in order to put in to JSON to get a REST token.

My example is:

PS C:\Temp> $secpass = Read-Host -assecurestring "Please enter password";

Please enter password: *****

PS C:\Temp> echo $secpass

System.Security.SecureString

PS C:\Temp> $pass = ConvertFrom-SecureString $secpass

PS C:\Temp> echo $pass 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004fe37b5a39a93542a74298c3740cae0b0000000002000000000003660000c00000001000000096aa9947681adf56ce6f9fd2d9ced2140000000004800000a0000000100000006bbff8b1e2115682e9be4c775d8372ee10000000b80a4a99147901275a9080c257712b1914000000010eabc8c134837751dbd2d648dbbca1f7335e9f

PS C:\Temp>

I want to run the ConvertFrom-SecureString and get my simple plain text password back.

EDIT;

I have the following function that obtains a REST Token:

function Get-AuthToken {
    Param(
        [string]$server,
        [string]$username,
        [securestring]$password
    )

        $creds = @{
        username = $username
        password = $password
        grant_type = "password"
        };

    Invoke-RestMethod -Method Post "$server/api/token" -Body $creds

}

To build $creds correctly the password needs to be in plain text.

Furthermore I also have the following to cover the case where password string is not given when the script is run:

If(!$Password) {
            [ValidatePattern("\w+")]$password = Read-Host -assecurestring "Please enter password";
            }

As per first answer given here Convert a secure string to plain text I have tried to add the following before calling the Get-AuthToken function:

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password)
$unsecurePassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$response = Get-AuthToken -username $User -password $unsecurePassword -server $server

If I do a Write-Host $unsecurePassword I can see the correct string however the Get-AuthToken fails authentication.

EDIT 2:

If I change the function to :

function Get-AuthToken {
        Param(
            [string]$server,
            [string]$username,
            [string]$password
        )

            $creds = @{
            username = $username
            password = $password
            grant_type = "password"
            };

        Invoke-RestMethod -Method Post "$server/api/token" -Body $creds

    }

Which is making the $password parameter a string rather than a secure string then it works however don't believe this is best practice since Visual Studio Code is complaining.

https://blogs.technet.microsoft.com/heyscriptingguy/2013/03/26/decrypt-powershell-secure-string-password/ — David Brabant, Feb 03 '17 at 15:57

Shmukko · Answer 1 · 2017-02-03T15:53:01.803

0

It's not recommended for production systems but try this:

$secpass = Read-Host -assecurestring "Please enter password"
$credentials = New-Object System.Net.NetworkCredential("UserTest", $secpass, "Domain")
$credentials.Password

You cannot do that with ConvertFrom-SecureString

edited Feb 03 '17 at 15:53

answered Feb 03 '17 at 15:46

Shmukko

572
3
11

`I want to run the ConvertFrom-SecureString and get my simple plain text password back.` – 4c74356b41 Feb 03 '17 at 15:49
@Shmukko - Not sure I want to do this if it's not suitable for a production system. See my edit above for more detail. – dross Feb 03 '17 at 16:21

How to handle PowerShell Secure Strings

1 Answers1