“PowerShell credentials in clear text” follow-up

If you have not read these comments by MoW and Lee which they added to the PowerShell Security summary I posted last week please do.

Both of them commented on my concern on PowerShell being able to expose in clear text the credentials you specify when being prompted by username and/or password by a PowerShell script. In a nutshell, the bottomline is that it does not really matter. Yes, PowerShell makes retrieving the credentials a simple call of a function but even if it were not that easy, someone would have been able to retrieve it anyway.

These are good points and they have to do with the worst thing a technology can do: give you a false sense of security. If PowerShell pretends that it is keeping passwords safe but in fact it is not – this is the issue. If you are providing your credentials to a script you might want to become cautious of what the script does with them.

I think I still have mixed feelings about the issue, because when seeing Windows system credential prompt I kind of assume tighter security around the credentials I specify, but I can definitely see the point which MoW and Lee are making. Please read their comments for more details.

2 Responses to ““PowerShell credentials in clear text” follow-up”


  1. 1 Mark Wilson August 22, 2007 at 10:51 pm

    Thanks for posting this Dmitry.

    MoW and Lee may be convinced that this is not a problem, but as I wrote earlier this evening:

    “…one of the fundamental principles of Windows security is that passwords are never stored in clear-text – only as a hashed value – clearly this breaks that model. Those who think there is nothing wrong with this argue that the credentials are then only used by the user that entered them in the first place. Even so, I’m sure this method could easily be used as part of a phishing attempt…”

    Furthermore, it’s not as if exposing a cleartext password involves a complex hack – by lunchtime on the first day of a Windows PowerShell Fundamentals course we had realised that passwords were available in this way – I’m no scripting expert and if I can find it, then so can those who are less scrupulous.

    Mark

  2. 2 dmitrysotnikov August 23, 2007 at 12:37 am

    I think that as we all keep pushing the guys might change their opinion and change the design.😉

    As I said this was indeed an unpleasant surprise for me. However, I do want to add a few thoughts here just to show that this might all be not that straight-forward:

    1. I am not sure this is something that really enables phishing attacks impossible otherwise. After all, if you trust a script or executable, and the script is malicious it can indeed mock up a system dialog box prompting for credentials and then use them whatever way it likes. So even if this way to get the clear text credentials did not exist, phishing would still be possible and relatively easy. Do not run what you do not trust.

    By the way, this leads to a possible other feature request: let policies define what kind of access scripts get. For example, I might not want scripts to get access to the internet, or file system, etc.

    2. My understanding is that although Active Directory indeed stores hashes instead of passwords this is not the case with local Windows password store. As far as I understand, credentials which get saved locally when you click that “Remember” checkbox when connecting to a site or computer are stored not as hashes but as encrypted data which can fairly easily be recovered should someone get access to your computer. Don’t trust any local credentials storage too much.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

August 2007
M T W T F S S
« Jul   Sep »
 12345
6789101112
13141516171819
20212223242526
2728293031  

%d bloggers like this: