Security/Password Issues & Long-term Strategy


My Development team and I are currently reviewing security considerations around our workflows, and one of the potential issues we have raised is the accessibility of passwords from the Windows Credential Vault using UiPath.

Currently, while UiPath ‘Get Credentials’ can return a password as a ‘SecureString’ from the Vault, this can be converted to ‘String’ with an ‘assign’ activity and some code provided by UiPath in a previous forum post. The password is then easily visible and can be written to console/logs etc.

There also does not seem to be the option to maintain the password as ‘SecureString’ for all purposes, if the conversion from SecureString to String was somehow blocked/prevented- while there is a ‘Type SecureString’ activity, passwords in ‘SecureString’ format cannot be inputted in an Excel Application Scope.

Do the UiPath team have any advice/best practice on how to maintain the security of passwords when ‘Getting’ them from the Windows Vault?
Is there a long-term strategy for use of credentials and relevant activities/code within workflows that will maintain the security of passwords when they are inputted into a workflow? Specifically, is the conversion from SecureString to String going to be a permanent capability in UiPath Studio, or temporary measure before something more secure is implemented?



This is an excellent question and here is how UiPath mitigates it in enterprise deployments.

  1. Release Cycle
    Every workflow that goes into production needs a reviewer approval (the reviewer is the one who pushes the workflow via Orchestrator). Now, he needs to check how all the SecureStrings are used So he needs to make sure that SecureStrings are not entered into notepad and sent via email.

  2. Source Control
    You can get to the developer that entered malicious code within the workflow

  3. Dev/Test/Production environments
    While a dev may call GetCredential within Dev environment he does not have access to production machines. The developer has access only to TestCredentials.

Somehow you have the same problem in software development. How do you make sure that sensitive data is protected?