AvoidUsingConvertToSecureStringWithPlainText
Severity Level: Error
Description
The use of the AsPlainText
parameter with the ConvertTo-SecureString
command can expose secure
information.
How
Use a standard encrypted variable to perform any SecureString conversions.
Recommendations
If you do need an ability to retrieve the password from somewhere without prompting the user, consider using the SecretStore module from the PowerShell Gallery.
Example
Wrong
$UserInput = Read-Host 'Please enter your secure code'
$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force
Correct
$SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString
$EncryptedInput = ConvertFrom-SecureString -String $SecureUserInput
$SecureString = ConvertTo-SecureString -String $EncryptedInput
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for