PowerShell: Securing Passwords in Scripts by encrypting with the Security Identifier (SID)

Months before I wrote a post about passwords in scripts. In this post I solved the “problem” with encryption using certificates. This time I will show how to encrypt passwords in scripts with the SID (Security Identifier) of the user.

Before we start here is the link to the blog post mentioned: PowerShell: Encrypt and store your Passwords and use them for Remote Authentication (Protect-CmsMessage)

Now let’s move to another method: Encrypting with the user SID.

Let’s say we want to connect to our Office 365 portal. But we do not want to enter the password every time.

Password Encryption

The code below encrypts the password 1234user! with the users sid.


$password=ConvertTo-SecureString -String $password -AsPlainText -Force 

What’s in $password? A secure string!

Anmerkung 2020-03-18 182339.png

Now we can convert the secure string to a encrypted standard string. Don’t worry the newly created string does not show up our password 1234user!

$password | ConvertFrom-SecureString

Anmerkung 2020-03-18 182921.png

Using the Encrypted Standard String in Scripts

Now we are ready to use the standard string for remote actions like logging into Office365 or logging into Exchange Online or whatever.

Here is the code for logging into Azure AD.

$user = 'p.gruenauer@sid-600.com'
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea016536efe4744bb4a77103e98ddefa00000000020000000000106600000001000020000000044d9a296bbb9c4339e6a4ab7584c422046e796dbfe6198ad0cbc325554bd36b000000000e800000000200002000000013367bb65754126cbfb1b68b6c2fe13e445a9e963232b2f33eea2bc522375d04200000000b52993f4aa8f1bf8924ca48866d85d35fa2d590b63792da46392015f8ebf31a4000000013a73aece10a860fd4e22728ceb9eb6c6384be9c173c074c11ab31704988fe1831e2cbdd97f3dc33f95d46ef3d6b7304235fa4f5945a6c27c586d4630f140642" |

$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
Connect-AzureAD -Credential $cred

Fine, that’s it.

See you next time with PowerShell!

Categories: PowerShell

Tagged as: ,

3 replies »

  1. Hi Patrick,
    I’m thinking this way is 100% secure, as some other ways, because the Encrypted Standard String can be decrypted only the the Account that encrypt AND on the same computer.
    Do you agree with this ?

    Liked by 1 person

    • Hi Kevin,

      Please consider that none of the methods (SID, Certificate) could be 100 % secure.

      Coming back to your question. Yep, the secure string is bound to the user and computer.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.