Edit

AvoidUsingConvertToSecureStringWithPlainText

Severity Level: Error

Description

This rule detects the use of the AsPlainText parameter with the ConvertTo-SecureString command, which bypasses encryption and exposes sensitive information in memory as plain text, defeating the purpose of SecureString.

Instead, retrieve secure credentials through encrypted channels or use secure input methods like Read-Host -AsSecureString to ensure sensitive data remains encrypted throughout its lifecycle.

Recommendations

If you need to retrieve passwords programmatically without user interaction, consider using the SecretStore module from the PowerShell Gallery, which provides encrypted credential storage and retrieval.

Example

Noncompliant

$UserInput = Read-Host 'Please enter your secure code'
$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force

Compliant

$SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString