{"id":3294,"date":"2018-07-07T16:19:12","date_gmt":"2018-07-07T21:19:12","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=3294"},"modified":"2018-07-27T16:39:12","modified_gmt":"2018-07-27T21:39:12","slug":"powershell-credentials","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=3294","title":{"rendered":"Powershell Credentials"},"content":{"rendered":"<p>I&#8217;ve only recently started using PowerShell to perform automated batch functions, and storing passwords in plain text is a\u00a0<em>huge<\/em> problem. In other languages, I crypt the password with a string stored elsewhere, then use the elsewhere-stored string in conjunction with the cipher text to retrieve the password. There&#8217;s a\u00a0<em>really<\/em> easy way to accomplish this in PowerShell (although it does not split the credential into two separate entities that force an attacker to obtain something from two places {i.e. reading a file on disk is good enough}\u00a0<em>but<\/em> if they&#8217;re already reading my code and on my server &#8230; the attacker could easily repeat the algorithmic process of retrieving the other string &#8230; which is a long way to say the PowerShell approach may <em>seem<\/em> less secure; but, effectively, it isn&#8217;t much less secure)<\/p>\n<p>The first step is to\u00a0<em>store<\/em> the password into a file. Use &#8220;read-host -AsSecureString&#8221; to grab the password from user input, pipe that to convertfrom-securestring to turn it into a big ugly jumble of text, then pipe\u00a0<em>that<\/em> out to a file<\/p>\n<p>read-host -assecurestring | converfrom-securestring | out-file -filepath c:\\temp\\pass.txt<\/p>\n<p>View the content of the file and you&#8217;ll see &#8230; a big long hex thing<\/p>\n<p><a href=\"http:\/\/lisa.rushworth.us\/?attachment_id=3295\" rel=\"attachment wp-att-3295\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3295\" src=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2018\/07\/StorePassForCredential.png\" alt=\"\" width=\"983\" height=\"231\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2018\/07\/StorePassForCredential.png 983w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2018\/07\/StorePassForCredential-300x70.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2018\/07\/StorePassForCredential-768x180.png 768w\" sizes=\"auto, (max-width: 983px) 100vw, 983px\" \/><\/a><\/p>\n<p>Great, I&#8217;ve got a bunch of rubbish in a file. How do I use that in a script? Set a variable to the content of the file piped through convertto-securestring and then use that password to create a new PSCredential object<\/p>\n<p>$strPassword = get-content -path c:\\temp\\pass.txt | convertto-securestring<br \/>\n$cred = new-object -typename PSCredential -argumentlist &#8216;UserID&#8217;,$strPassword<\/p>\n<p>Voila, $cred is a credential that you can use in other commands.<\/p>\n<p><a href=\"http:\/\/lisa.rushworth.us\/?attachment_id=3296\" rel=\"attachment wp-att-3296\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3296\" src=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2018\/07\/RetrievePassForCredential.png\" alt=\"\" width=\"983\" height=\"324\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2018\/07\/RetrievePassForCredential.png 983w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2018\/07\/RetrievePassForCredential-300x99.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2018\/07\/RetrievePassForCredential-768x253.png 768w\" sizes=\"auto, (max-width: 983px) 100vw, 983px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve only recently started using PowerShell to perform automated batch functions, and storing passwords in plain text is a\u00a0huge problem. In other languages, I crypt the password with a string stored elsewhere, then use the elsewhere-stored string in conjunction with the cipher text to retrieve the password. There&#8217;s a\u00a0really easy way to accomplish this in &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[622,69],"class_list":["post-3294","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-powershell","tag-security"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3294","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3294"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3294\/revisions"}],"predecessor-version":[{"id":4926,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/3294\/revisions\/4926"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3294"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}