The UiPath activity ’Send SMTP Mail Message’ needs a password in the properties pane for it to work. This password just needs to be a String but this is not a good solution as the password then will be exposed. I would like to request that it is changed so that it should be a SecureString.
Thank you for your answer. Our security department is not happy about it so I would personally think it should be high priority But thank you for the workaround!
I agree. But if we put it as a secure string, we can at least have the SMTP password stored in Assets under credentials and not visible as plain text. I am aware of the case where they could type into a notepad exposing the password. But in that case, the code reviewers have to ensure that the password is typed in the correct region. It makes a lot of clients uncomfortable seeing the passwords being visible as plain text. In my opinion it would be better to have something(secure string for the moment) rather than nothing
I would say that this should be high priority. It’s hard to explain to clients how UiPath takes security seriously when the passwords are stored in plain text.
Meanwhile, I have written a workflow for this that safely stores the password in the Windows credential manager at the first invocation (similar as you do for a general logon): SendMail.xaml (22.0 KB)
Really hoping for SecureString input in SMTP mail activity, we use this to send e-mails from the robot user, and users (process owners) have access to Orchestrator to manage their projects assets.
One other thought, you do not need to create a String Variable or use the Assign Activity, you can simply put the following statement into the SMTP Password Property (Field):
“new System.Net.NetworkCredential(string.Empty, password).Password”
I notice that Password field in mail activities like Get IMAP Mail Messages and Send SMTP Mail Messages are just String instead of SecureString.
This is disadvantageous. First of all it reveal password*. Secondly it disallow centralization of asset data. For example, I cannot centrally store password on Orchestrator and use Get Credential activity to retrieve it.
Please kindly consider making change to these activities by changing Password field data type from String to SecureString.
*There is similar question about encrypting password. One recommendation is to use GetPassword activity but the output string is still totally visible.
This is a known issue for a long time. Not sure whether there are plans to change this @badita.
There is a workaround as you can pass as a secure string and only convert at the very last instance prior to entering the string into the activity. The only risk here is if someone is able to get on the machine, amend the process to log that value and also run the process. Given the controls around the machine and the Orchestrator this is a pretty low risk in my opinion.
Thanks for your input. I manage to get asset’s password from Orchestrator and pass on to send email activity. As you can see there is no proper solution to protect secure info as long as we have to convert a SecureString to String value.
I look forward to having this fixed.
/Hieu