Convert SecureString to String - Get Secured Credential


#1

@andraciorici, @Lavinia

Before I was able to store email passwords in the Windows Credential Store and pass them to the Email activities as variables.
How am I going to achieve this since now I can retrieve only secured string which works only in type.

Am I missing something?


Usage of GetSecureCredential
'Send SMTP Mail Message' Password - SecureString
Unable to use password from orchestrator asset into database connection string
#2

As Genfour suggested we need to create an activity that returns a string from a SecureString.
Until then String plainStr = new System.Net.NetworkCredential(string.Empty, secureStr).Password
should work


Password field in MailMessages activities are not secure string
Security Concerns!
#3

@badita why don’t you use Get Credential instead of Get Secure Credential if you need the password as string and not secure string?


#4

@andraciorici: there are two Get Credentials

Both return a secured string.


#6

Ok, got it. Well I think adding an activity that makes a secure password, unsecure, defies the security purpose. I would instead add a SecureString argument to activities that need it, like Send Mail.


#7

We could that too. But what’s in it if you can unsecure a secure string via .NET.
Shall we return to unsecured string?


#8

Attached is a workflow that decrypts it using best practices from Microsoft’s MSDN. Missing a try-catch to check if the pass value is null.

Decrypt SecureString.xaml (8.5 KB)


#9

My belief is that if you want to pass a genuinely secure string you should not be able to decrypt it. To make this work you will need to ensure/consider the following:

  1. All activities accepting a password have the option for a string password or a secure string password (possibly just secure string)
  2. You cannot use type secure text to type unless the object that you are typing into is secure e.g. a password box. However, don’t think this is possible so perhaps needs to just be covered by dev standards.

If you cover both of these then the issue of decrypting the secure string goes away I think.


#10

I’m trying to use “Get Credential” but I only find the “Get Credential” activity of Orchestrator package, so I’m not able to retrieve the credential stored in the Windows Credentials of the local machine


#11

Do you see this activity?


#12

Hello @Rober_Olmos,

You can find “Get Secure Activity” here:


#13

@andraciorici, @Lavinia, @Horia
By exposing this method of retrieving secure password from Windows Credentials Vault we are ultimately compromising the security; as any developer can write this piece of code ant Production system and get the passwords from vault.
How can we avoid this security breach :

  1. Do we need to import any special Packages/API in order to make this code working? And is there any way we can disable such APIs so code won’t work?
  2. What can be other possible solutions to avoid such issues?

#14

This is not true. The reason is that the unassisted robots runs under a Windows Credential that other developers can not access. Therefore they won’t be able to retrieve the passwords stored in production as they can not login to the robot machine under the robot account.

They will have access, of course, to dev/test credentials.


#15

use assign activity:

on the left put your string variable

on the right put this. OutlookPassword is a secure string variable.
new System.Net.NetworkCredential(string.Empty, OutlookPassword).Password


#17

Hi Susana,

I’m not seeing the Credentials folder under System. Is this an add-on or do I need to import a library?


#18

Hi Vaidya,

Could you please upload a sample XAML , how we can pass the password in any website using credential manager???