Password field in MailMessages activities are not secure string

activities
i_duplicate

#1

Hi,

I notice that Password field in mail activities like Get IMAP Mail Messages and Send SMTP Mail Messages are just String instead of SecureString.

This is disadvantageous. First of all it reveal password*. Secondly it disallow centralization of asset data. For example, I cannot centrally store password on Orchestrator and use Get Credential activity to retrieve it.

Please kindly consider making change to these activities by changing Password field data type from String to SecureString.

image

*There is similar question about encrypting password. One recommendation is to use GetPassword activity but the output string is still totally visible.

BR,
Hieu


#2

This is a known issue for a long time. Not sure whether there are plans to change this @badita.

There is a workaround as you can pass as a secure string and only convert at the very last instance prior to entering the string into the activity. The only risk here is if someone is able to get on the machine, amend the process to log that value and also run the process. Given the controls around the machine and the Orchestrator this is a pretty low risk in my opinion.

RD


#3

#4

Thanks for your input. I manage to get asset’s password from Orchestrator and pass on to send email activity. As you can see there is no proper solution to protect secure info as long as we have to convert a SecureString to String value.
I look forward to having this fixed.
/Hieu


#5

Closed as duplicate: