Password exposure when bot proceeding

uiautomation
security
bestpractices

#1

Hi,
I am developing bots that has to login into multiple platforms. When bot retrieves passwords from Orchestrator’s asset and put them into password box. There is a chance that bot could type password into, let’s say, notepad and expose the password.
My point is the plausibility that someone (developers from other team) could intentional or unintentional expose passwords of service accounts that he/she shouldn’t know; and later uses for any purpose. Tasks to enter username and password are pretty common as everyone knows.
Is there any measure to prevent this from happening ? My organization is very limited on finding someone to review everyone’s workflows. Potentially, the number of UiPath developer is growing, and my team has to take care of common security issues and suggest best practices for other team developers. Surely, questions asking for this problem will arise, so I want to address it before hand.

Thank you


#2

We too have expressed these concerns to UiPath representatives. Not only can you type it in say Notepad there is a line of code that can convert the password to a string to pretty much output it anywhere, which is actually needed for some activities though where you can’t use Secure Type Into.

But the thing is, what is stopping an associate from sharing or asking for passwords verbally? It’s still with the employee to not go against your security’s terms.

Really, the only way to avoid Developers having access to passwords 100% is to prompt the process owner each time they start a job. This could be done by adding an Argument parameter in the Start Job window so the user can type in their password and the Developer never touches it.

However, then how do you as a Developer design and test your process? It’s worth being concerned about though.

Thanks.


#3

Thanks for the replied.
I can see your point but what if I want to start a job or a process from Orchestrator. There’s no type of input from user or the person who start the process. Also, what if I use a bot as a tool many people can access but I don’t want any person to know the password. We can put password to asset in Orchestrator, but that way; any developer can get that asset and acquire the password.