New-StoredCredential returns object with password in plain text #13
Comments
|
The hacky workaround is to pipe the output of New-StoredCredential to Out-Null. That will keep it from appearing on screens or in log files, potentially, but it doesn't solve the main problem that the SecurePassword is getting decrypted into memory at some point. |
|
Ideally the New-StoredCredential cmdlet should return an actual PSCredential object (or something shaped like it). That way we could do something like:
... and then use $cred as credentials later in the same script. The password would be a SecureString then, I think, which would resolve this issue. The easy answer is to change PSCredentialManager.Cmdlet/Cmdlets.cs line 316 to:
... but I'm not sure if that would break any tests. It certainly could break some existing code. Perhaps an -AsCredentialObject switch on New-StoredCredential so people can add it if they need backwards compatibility? |
|
Is this module still being maintained, this issue was opened years ago... |
Please remove the Password property from the object returned from New-StoredCredential. This has massive security issues and most Enterprises will not be able to use the module because of it.
The text was updated successfully, but these errors were encountered: