Enter password with masking

Question

I have a simple example pieced together from some other posts:

[CmdletBinding(
    DefaultParameterSetName = 'Secret'
)]
Param (
    [Parameter(Mandatory=$True)]
    [string]$FileLocation,

    [Parameter(
        Mandatory = $True,
        ParameterSetName = 'Secret'
    )]
    [Security.SecureString]${Type your secret password},
    [Parameter(
        Mandatory = $True,
        ParameterSetName = 'Plain'
    )]
    [string]$Password
)

if ($Password) {
    $SecretPassword = $Password | ConvertTo-SecureString -AsPlainText -Force
} else {
    $SecretPassword = ${Type your secret password}
}

Write-Host $SecretPassword
$BSTR = `
    [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecretPassword)
    $PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
    Write-Host $PlainPassword

https://social.technet.microsoft.com/wiki/contents/articles/4546.working-with-passwords-secure-strings-and-credentials-in-windows-powershell.aspx

How can I use powershell's read-host function to accept a password for an external service?

When running the script how can I make it possible for the entered password to be masked?

So instead of this:

PS C:\temp> .\test.ps1 -FileLocation C:\Temp\file.csv  -Password secret

This

PS C:\temp> .\test.ps1 -FileLocation C:\Temp\file.csv  -Password ******

A password typed as a parameter for a function or script cannot be masked that way. — Ansgar Wiechers, Feb 07 '17 at 19:54

score 9 · Answer 1 · edited Oct 22 '19 at 14:13

9

First capture the password using the below statement:

$password = Read-Host "Enter Your Password" -AsSecureString

This will mask the characters entered by the user on the screen.

But you can not use this string directly. In order to use this secure string in your script you need to convert this to a binary string:

$Newpass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))

And then use $Newpass as the password entered by the user.

edited Oct 22 '19 at 14:13

Bill Tür stands with Ukraine

3,425
30
38
48

answered Feb 08 '17 at 08:12

Ajay Pawar

179
6

you can prompt for password, receiving password using parameter will not serve your purpose to mask the password. – Ajay Pawar Feb 08 '17 at 08:14

score 3 · Accepted Answer · answered Feb 07 '17 at 20:01

To start with, your example isn't going to happen. You are suggesting that you want whatever shell they execute the script from to mask the password, as it is entered as a parameter, before the script even executes. Not happening.

Now, an alternative would be to not accept the password as a parameter, and instead prompt for it every time. In that case you could reduce that entire If($Password) statement to just be:

$SecretPassword = Read-Host 'Type your secret password' -AsSecureString

score 2 · Answer 3 · edited Jan 26 '19 at 15:03

2

AsSecureString parameter does this:

-AsSecureString

Indicates that the cmdlet displays asterisks (*) in place of the characters that the user types as input.

edited Jan 26 '19 at 15:03

4c74356b41

69,186
6
100
141

answered Feb 07 '17 at 19:45

Richard Szalay

83,269
19
178
237

In the code above where would -AsSecureString be specfied ? – dross Feb 07 '17 at 19:51
@dross Wherever you have `${Type your secret password}` – Richard Szalay Feb 07 '17 at 21:34

Enter password with masking

3 Answers3

-AsSecureString

Linked