• String – Plain text strings. Used to store any text and of course these can store passwords too. Strings are unsecure, they are stored in memory as plain text and most cmdlets will not accept passwords in this form.
  • System.Security.SecureString – This type is like the usual string, but its content are encrypted in memory. It uses reversible encrypting so the password can be decrypted when needed, but only by the principal that encrypted it.
  • System.Management.Automation.PSCredential – PSCredential is class that is composed of username (string) and password (SecureString). This is type that most cmdlets require for specifying credentials.
Create SecureString

Type the password in an interactive prompt

$SecurePassword = Read-Host -Prompt “Enter password” -AsSecureString

Convert from existing plaintext variable

$PlainPassword = “P@ssw0rd”
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force


Extract password from SecureString

If you have just simple SecureString with the password, you can construct a PSCredentials object and extract password by using the previous method. Another method is this:

$BSTR = `
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)



Create PSCredentials

Assuming that you have password in SecureString form in $SecurePassword variable:

$UserName = “Domain\User”
$Credentials = New-Object System.Management.Automation.PSCredential `
-ArgumentList $UserName, $SecurePassword
Extract password from PSCredentials

The password can be easily obtained from PSCredential object using GetNetworkCredential method:

$PlainPassword = $Credentials.GetNetworkCredential().Password



Saving encrypted password to file or registry

If you need to store password for script that runs in unattended mode by scheduler or using some other ways, it possible to save it to file system or registry in encrypted form. It is like the string representation of SecureString. Only user that created this line can decrypt and use it, so when saving this value, use the same account that the script or service will use.
Converting SecureString variable to secure plain text representation

$SecurePassword=$PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$SecureStringAsPlainText = $SecurePassword | ConvertFrom-SecureString

Set-Content "D:\files\exportedPassword.txt" $SeureStringAsPlainText

$SecureStringAsPlainText looks like this “ea32f9d30de3d3dc7fcd86a6a8f587ed9” (actually longer) and can be easily stored in file, registry property or any other storage.


1.  We save the password to a txt file first:

$SecurePassword=$PlainPassword |ConvertTo-SecureString -AsPlainText -Force
$SecureStringAsPlainText = $SecurePassword | ConvertFrom-SecureString 
Set-Content "D:\files\exportedPassword.txt" $SeureStringAsPlainText

Now that we have saved the encrypted password in a text file,  you can delete the plain text password in the first script. We can read it either with form of plainpassword,  such as Netdom,  it can be done this way:

$pwdTxt=get-content "D:\files\exportedPassword.txt"
$securestr=$pwdTxt | ConvertTo-SecureString
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($securepwd)
netdom verify frank-pc /Domain:test.com /uo:frank /po:$PlainPassword

You can add echo $PlainPassword in the end to test the form of password.

Note that if you add -AsPlainText -Force after the ConvertTo-SecureString, the password will be incorrect.

$UserName = "Domain\User"
$Credentials = New-Object System.Management.Automation.PSCredential  -ArgumentList $UserName, $securestr

The password in the credential should always be the securestring form, often the result from ConvertTo-SecureString.




Using saved credentials securely in PowerShell scripts