Expand Minimize

SPC029103: Do not use convert to secure string

Converting to secure string from plain text is insecure and exposes sensative data

CheckId SPC029103
TypeName DoNotUseConvertToSecureString
Severity CriticalError
Type PoShFile

Bad Practice

$notsecure = convertto-securestring "foo" -asplaintext -force
New-Object System.Management.Automation.PSCredential -ArgumentList "username", (ConvertTo-SecureString "notsecure" -AsPlainText -Force)
Good Practice
$secure = read-host -assecurestring
$encrypted = convertfrom -securestring -securestring $secure
convertto-securestring -string $encrypted

Disclaimer: The views and opinions expressed in this documentation and in SPCAF do not necessarily reflect the opinions and recommendations of Microsoft or any member of Microsoft. SPCAF and RENCORE are registered trademarks of Rencore. All other trademarks, service marks, collective marks, copyrights, registered names, and marks used or cited by this documentation are the property of their respective owners.