Password exposure when bot proceeding

wjiraru · August 9, 2017, 3:17am

Hi,
I am developing bots that has to login into multiple platforms. When bot retrieves passwords from Orchestrator’s asset and put them into password box. There is a chance that bot could type password into, let’s say, notepad and expose the password.
My point is the plausibility that someone (developers from other team) could intentional or unintentional expose passwords of service accounts that he/she shouldn’t know; and later uses for any purpose. Tasks to enter username and password are pretty common as everyone knows.
Is there any measure to prevent this from happening ? My organization is very limited on finding someone to review everyone’s workflows. Potentially, the number of UiPath developer is growing, and my team has to take care of common security issues and suggest best practices for other team developers. Surely, questions asking for this problem will arise, so I want to address it before hand.

Thank you

ClaytonM · August 11, 2017, 6:01pm

We too have expressed these concerns to UiPath representatives. Not only can you type it in say Notepad there is a line of code that can convert the password to a string to pretty much output it anywhere, which is actually needed for some activities though where you can’t use Secure Type Into.

But the thing is, what is stopping an associate from sharing or asking for passwords verbally? It’s still with the employee to not go against your security’s terms.

Really, the only way to avoid Developers having access to passwords 100% is to prompt the process owner each time they start a job. This could be done by adding an Argument parameter in the Start Job window so the user can type in their password and the Developer never touches it.

However, then how do you as a Developer design and test your process? It’s worth being concerned about though.

Thanks.

wjiraru · August 16, 2017, 2:43am

Thanks for the replied.
I can see your point but what if I want to start a job or a process from Orchestrator. There’s no type of input from user or the person who start the process. Also, what if I use a bot as a tool many people can access but I don’t want any person to know the password. We can put password to asset in Orchestrator, but that way; any developer can get that asset and acquire the password.

Topic		Replies	Views
How to secure Bot passwords Help robot	9	4109	June 8, 2018
Orchestrator password parameter and assets Help orchestrator , question , security	2	2742	November 26, 2019
How to - Securely passing credentials from Attended BOT to unattended BOT Help	3	1952	September 18, 2019
About the security issue with UiPath Studio & Orchestrator <URGENT> Help	4	5278	September 25, 2017
How will you ensure that passwords to be used in automation are secure Help activities , question , security	6	3116	November 26, 2019

Most Active Users - Yesterday
Anil_G
ashokkarale
jinal.shah
Gautham_Pattabiraman
postwick
chandreshsinh.jadeja
vrdabberu
Ajay_Mishra
sven.wullum1
Vyshnavi_Nalumachu
More details...

Password exposure when bot proceeding

Related Topics