description	ms.date	ms.topic	title
Avoid Using SecureString With Plain Text	06/28/2023	reference	AvoidUsingConvertToSecureStringWithPlainText

AvoidUsingConvertToSecureStringWithPlainText

Severity Level: Error

Description

The use of the AsPlainText parameter with the ConvertTo-SecureString command can expose secure information.

How

Use a standard encrypted variable to perform any SecureString conversions.

Recommendations

If you do need an ability to retrieve the password from somewhere without prompting the user, consider using the SecretStore module from the PowerShell Gallery.

Example

Wrong

$UserInput = Read-Host 'Please enter your secure code'
$EncryptedInput = ConvertTo-SecureString -String $UserInput -AsPlainText -Force

Correct

$SecureUserInput = Read-Host 'Please enter your secure code' -AsSecureString

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AvoidUsingConvertToSecureStringWithPlainText.md

AvoidUsingConvertToSecureStringWithPlainText.md

AvoidUsingConvertToSecureStringWithPlainText

Description

How

Recommendations

Example

Wrong

Correct

Files

AvoidUsingConvertToSecureStringWithPlainText.md

Latest commit

History

AvoidUsingConvertToSecureStringWithPlainText.md

File metadata and controls

AvoidUsingConvertToSecureStringWithPlainText

Description

How

Recommendations

Example

Wrong

Correct