Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Severity Level: Error
Description
This rule detects the use of the AsPlainText parameter with the ConvertTo-SecureString command,
which bypasses encryption and exposes sensitive information in memory as plain text, defeating the
purpose of SecureString.
Instead, retrieve secure credentials through encrypted channels or use secure input methods like
Read-Host -AsSecureString to ensure sensitive data remains encrypted throughout its lifecycle.
Recommendations
If you need to retrieve passwords programmatically without user interaction, consider using the SecretStore module from the PowerShell Gallery, which provides encrypted credential storage and retrieval.
Example
Noncompliant
$UserInput = Read-Host 'Please enter your secure code'
$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force
Compliant
$SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString