Archive for August 2nd, 2007

“PowerShell credentials in clear text” follow-up

If you have not read these comments by MoW and Lee which they added to the PowerShell Security summary I posted last week please do.

Both of them commented on my concern on PowerShell being able to expose in clear text the credentials you specify when being prompted by username and/or password by a PowerShell script. In a nutshell, the bottomline is that it does not really matter. Yes, PowerShell makes retrieving the credentials a simple call of a function but even if it were not that easy, someone would have been able to retrieve it anyway.

These are good points and they have to do with the worst thing a technology can do: give you a false sense of security. If PowerShell pretends that it is keeping passwords safe but in fact it is not – this is the issue. If you are providing your credentials to a script you might want to become cautious of what the script does with them.

I think I still have mixed feelings about the issue, because when seeing Windows system credential prompt I kind of assume tighter security around the credentials I specify, but I can definitely see the point which MoW and Lee are making. Please read their comments for more details.

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

August 2007

%d bloggers like this: