I was reading this article of the Hey, Scripting Guy! (https://blogs.technet.microsoft.com/heyscriptingguy/2013/03/26/decrypt-powershell-secure-string-password/) and I was thinking…
I’m using the Get-Credential cmdlet for my scripts on Office 365 to login to the services. Like this:
$O365Cred = Get-Credential $Mail -Message “Office 365 credentials”
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $O365Cred -Authentication Basic -AllowRedirection
But what about if someone adds this line on the script?
$O365cred.GetNetworkCredential().Password | Out-File C:\Temp\Credential.txt
Then I saw another command:
$SecurePassword = Read-Host “Type your password” -AsSecureString
In this way, no one can easily read it, right?
My question is: How bad is it to use Get-Credential on scripts for security?