'Send SMTP Mail Message' Password - SecureString

Hi

The UiPath activity ’Send SMTP Mail Message’ needs a password in the properties pane for it to work. This password just needs to be a String but this is not a good solution as the password then will be exposed. I would like to request that it is changed so that it should be a SecureString.

Thanks!

3 Likes

We have in mind this idea: all the activities that requires a password (email, terminals, office, etc) should accept a secureString as parameter.

However, it takes time so we do not look at it as having high priority.

Till then the solution is to convert the secureString to a String:

6 Likes

Hi

Thank you for your answer. Our security department is not happy about it so I would personally think it should be high priority :slight_smile: But thank you for the workaround!

3 Likes

@badita Do we know when do we have this planned? I have been asked this question a lot lately

We’re thinking about it.

Now, how would you see a possible implementation taking into account that:

  • You can anyway get the password out of a secure string
  • you may need to type password in different apps…therefore you can type it in notepad

Isn’t this enough?

1 Like

I agree. But if we put it as a secure string, we can at least have the SMTP password stored in Assets under credentials and not visible as plain text. I am aware of the case where they could type into a notepad exposing the password. But in that case, the code reviewers have to ensure that the password is typed in the correct region. It makes a lot of clients uncomfortable seeing the passwords being visible as plain text. In my opinion it would be better to have something(secure string for the moment) rather than nothing

3 Likes

Hai,
Till now this problem is unsolved or solved ?

Hello, I would also like to see a solution to this problem.

is there any solution?

I would say that this should be high priority. It’s hard to explain to clients how UiPath takes security seriously when the passwords are stored in plain text.

3 Likes

Hello,
I’m also looking forward for a solution.
@badita Thank you for the suggested workaround :slight_smile:

1 Like

Meanwhile, I have written a workflow for this that safely stores the password in the Windows credential manager at the first invocation (similar as you do for a general logon):
SendMail.xaml (22.0 KB)

1 Like

Really hoping for SecureString input in SMTP mail activity, we use this to send e-mails from the robot user, and users (process owners) have access to Orchestrator to manage their projects assets.

1 Like

What I did as a workaround is created another extra string variable for password like “StrPassword” and it Solved my Problem

Follow these steps
Create a Variable StrPassword

Then taken a assign activity and assign value for StrPassword

And in value typed the string as

“new System.Net.NetworkCredential(string.Empty, password).Password”

Where “password” contains your secure string that you get from orchestrator assests or windows credentials

2 Likes

One other thought, you do not need to create a String Variable or use the Assign Activity, you can simply put the following statement into the SMTP Password Property (Field):
“new System.Net.NetworkCredential(string.Empty, password).Password”

Hi,

I notice that Password field in mail activities like Get IMAP Mail Messages and Send SMTP Mail Messages are just String instead of SecureString.

This is disadvantageous. First of all it reveal password*. Secondly it disallow centralization of asset data. For example, I cannot centrally store password on Orchestrator and use Get Credential activity to retrieve it.

Please kindly consider making change to these activities by changing Password field data type from String to SecureString.

image

*There is similar question about encrypting password. One recommendation is to use GetPassword activity but the output string is still totally visible.

BR,
Hieu

This is a known issue for a long time. Not sure whether there are plans to change this @badita.

There is a workaround as you can pass as a secure string and only convert at the very last instance prior to entering the string into the activity. The only risk here is if someone is able to get on the machine, amend the process to log that value and also run the process. Given the controls around the machine and the Orchestrator this is a pretty low risk in my opinion.

RD

1 Like

Thanks for your input. I manage to get asset’s password from Orchestrator and pass on to send email activity. As you can see there is no proper solution to protect secure info as long as we have to convert a SecureString to String value.
I look forward to having this fixed.
/Hieu

1 Like

Closed as duplicate: