Security/Password Issues & Long-term Strategy

WJones · May 8, 2017, 7:24am

Hi,

My Development team and I are currently reviewing security considerations around our workflows, and one of the potential issues we have raised is the accessibility of passwords from the Windows Credential Vault using UiPath.

Currently, while UiPath ‘Get Credentials’ can return a password as a ‘SecureString’ from the Vault, this can be converted to ‘String’ with an ‘assign’ activity and some code provided by UiPath in a previous forum post. The password is then easily visible and can be written to console/logs etc.

There also does not seem to be the option to maintain the password as ‘SecureString’ for all purposes, if the conversion from SecureString to String was somehow blocked/prevented- while there is a ‘Type SecureString’ activity, passwords in ‘SecureString’ format cannot be inputted in an Excel Application Scope.

Do the UiPath team have any advice/best practice on how to maintain the security of passwords when ‘Getting’ them from the Windows Vault?
Is there a long-term strategy for use of credentials and relevant activities/code within workflows that will maintain the security of passwords when they are inputted into a workflow? Specifically, is the conversion from SecureString to String going to be a permanent capability in UiPath Studio, or temporary measure before something more secure is implemented?

Thanks,
Will

badita · June 8, 2017, 8:56am

This is an excellent question and here is how UiPath mitigates it in enterprise deployments.

Release Cycle
Every workflow that goes into production needs a reviewer approval (the reviewer is the one who pushes the workflow via Orchestrator). Now, he needs to check how all the SecureStrings are used So he needs to make sure that SecureStrings are not entered into notepad and sent via email.
Source Control
You can get to the developer that entered malicious code within the workflow
Dev/Test/Production environments
While a dev may call GetCredential within Dev environment he does not have access to production machines. The developer has access only to TestCredentials.

Somehow you have the same problem in software development. How do you make sure that sensitive data is protected?

Topic		Replies	Views
Security Concerns! Help	5	8954	October 29, 2018
Is there a way in UiPath wherein we can encrypt a password without using Orchestrator Help	5	6107	June 6, 2019
Using passwords via credential assest Help orchestrator	1	6335	October 20, 2017
How to convert secure string to string in uipath Studio studio , question , command_palette	23	8852	October 19, 2022
How to convert SecureString to string for password from orchestrator can be input on web app Robot	3	3455	July 28, 2021

Most Active Users - Yesterday
Anil_G
ashokkarale
Ajay_Mishra
Gautham_Pattabiraman
BHUSHAN_NAGAONKAR1
vrdabberu
ABHIMANYU_THITE1
lrtetala
samantha_shah
shyamala_shyamu
More details...

Security/Password Issues & Long-term Strategy

Related Topics