Powershell: Get-Credential password confirmation

Created on 25 Sep 2019 · 25Comments · Source: PowerShell/PowerShell

Summary of the new feature/enhancement

Passwords are hard. When we prompt for passwords, especially for complex passwords, it's important to ensure that we know what we are entering. When using Get-Credential interactively from the command line, you currently only get one opportunity to type in your password. It's easy to fat finger a complex password. If you fat finger a complex password, then use it somewhere, you can make that resource inaccessible. We should enable a confirmation of the password when using this cmdlet interactively.

Proposed technical implementation details

Consider adding a -ConfirmPassword parameter that confirms two password strings entered at the command line are correct. If correct, proceed with saving the credential. If incorrect, re-prompt the user for matching strings. Something like this:

Successful entry

PS C:\> Get-Credential -credential user1 -ConfirmPassword

PowerShell credential request
Enter your credentials.
Password for user user1: ************
Confirm password for user user1: ************

UserName                     Password
--------                     --------
user1    System.Security.SecureString

Unsuccessful entry

PS C:\> Get-Credential -credential user1 -ConfirmPassword

PowerShell credential request
Enter your credentials.
Password for user user1: *****
Confirm password for user user1: ************

Passwords do not match.
Enter your credentials.
Password for user user1: ************
Confirm password for user user1: ************

UserName                     Password
--------                     --------
user1    System.Security.SecureString

First-Time-Issue Issue-Enhancement Up-for-Grabs WG-Security

Source

jboeshart

👍8

Most helpful comment

Search public override PSCredential PromptForCredential in
https://github.com/PowerShell/PowerShell/blob/1be3f4cc0e465ae11ad8e59e9060f5a59e4762eb/src/Microsoft.PowerShell.Security/security/CredentialCommands.cs

Yes, you should update tests in https://github.com/PowerShell/PowerShell/blob/acb52b3d9c92e347ea529242e8ab25a09ea31222/test/powershell/Modules/Microsoft.PowerShell.Security/GetCredential.Tests.ps1

GitHub
PowerShell/PowerShell
PowerShell for every system! Contribute to PowerShell/PowerShell development by creating an account on GitHub.

iSazonov on 26 Sep 2019

👍2

All 25 comments

-Confirm would conflict with the common parameter used for ShouldProcess.

I'd suggest something like -ConfirmPassword

vexx32 on 25 Sep 2019

Good idea @vexx32, I updated the description to reflect that.

jboeshart on 25 Sep 2019

How would it know how to verify the credential? I realize that the request is probably for Active Directory credentials but a credential object can be used for anything.

I think it would make more sense to break this functionality out into a specific command, something like Test-ADCredential or a completely separate Get-ADCredential that wraps Get-Credential.

SeeminglyScience on 26 Sep 2019

👍1

It's not a verification of the credential itself. It's a confirmation that the password you entered twice matches. This would be similar to many web site credential creation procedures that are commonly seen, as well as the passwd command on Linux.

[root@vm1~]# passwd user1
Changing password for user user1.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

jboeshart on 26 Sep 2019

👍2

That said, I think having an easy way to validate an AD credential could be valuable as well @SeeminglyScience, but that's outside the scope of this particular enhancement request.

jboeshart on 26 Sep 2019

It's not a verification of the credential itself. It's a confirmation that the password you entered twice matches.

Ahhh yes, I misunderstood 🙂 that makes much more sense 👍

SeeminglyScience on 26 Sep 2019

Does anyone want to implement this? It looks like easy and very useful enhancement. Ask if you need help to start.

iSazonov on 26 Sep 2019

I wouldn't mind giving this a shot myself, but this would be my first contribution so I'd likely need some hand-holding. I'd guess that the logic would be implemented here:

https://github.com/PowerShell/PowerShell/blob/74517923cfa26244662ccbe995e7f88fe06c1f02/src/Microsoft.PowerShell.Security/security/CredentialCommands.cs#L93

Not entirely sure how to handle the UI elements, or adding a parameter to the cmdlet.

jboeshart on 26 Sep 2019

@jboeshart Parameters is defined above in the code with Parameter attribute.
Use debugger to get better understanding how the code works.

iSazonov on 26 Sep 2019

Gotcha, let me hack away at it and see if I can get something workable here. Are contributors also responsible for creating/updating tests too? Just want to make sure I included everything that's necessary.

jboeshart on 26 Sep 2019

Yes, you should update tests in https://github.com/PowerShell/PowerShell/blob/acb52b3d9c92e347ea529242e8ab25a09ea31222/test/powershell/Modules/Microsoft.PowerShell.Security/GetCredential.Tests.ps1

GitHub
PowerShell/PowerShell
PowerShell for every system! Contribute to PowerShell/PowerShell development by creating an account on GitHub.

iSazonov on 26 Sep 2019

👍2

Tests can be tricky. We use special test host (created in the test file with $th = New-TestHost). I guess you will have to update it too. See help module in test\tools\Modules\HelpersHostCS\

iSazonov on 26 Sep 2019

Ok, I've logged #10692 with my updates to make this work. Need to work on tests, but I wanted to get some feedback on the changes that I've made.

I'd also like some clarity on if the code to compare the secure strings is acceptable. This is a bit sensitive, since you can't directly compare secure strings. The code is based on guidance from the following links. I think this is probably ok, since we're just comparing strings, and the only way they would be exposed is if you were actively debugging the code as you were entering the password. That said, I'd like to have someone with a little more experience in this area validate this is ok.

https://stackoverflow.com/questions/4502676/c-sharp-compare-two-securestrings-for-equality
https://www.sjoerdlangkemper.nl/2017/11/08/comparing-securestrings-in-dotnet/

Stack Overflow
C# - compare two SecureStrings for equality
I have a WPF application with two PasswordBoxes, one for the password and another for the password to be entered a second time for confirmation purposes. I was wanting to use PasswordBox.SecurePas...

Sjoerd Langkemper
Comparing secure strings in .NET
In .NET, the SecureString class protects data in memory. The contents of a SecureString object are not accessible as a normal string and that makes it hard to work with it. This post describes some secure ways to compare two SecureString objects.

jboeshart on 3 Oct 2019

-ConfirmPassword does still intersect with -Confirm common parameter.
I suggest -ReEnterPassword.

iSazonov on 29 Mar 2020

👍1

@iSazonov I would like to try and fix this issue. This is my first fix and so I may need little help with the process

Shriram0908 on 24 May 2020

@Shriram0908 Feel free to ask.

iSazonov on 24 May 2020

👍1

@iSazonov I see "Expected — Waiting for status to be reported" on the PR. What does it mean and should I do something from my side

Shriram0908 on 24 May 2020

@iSazonov Can we re-open this issue and How shall we implement this feature ?

Shriram0908 on 12 Aug 2020

@Shriram0908 You need to review related discussions like https://github.com/PowerShell/PowerShell/issues/13346#issuecomment-668322559
I think @rjmholt could help you too.

iSazonov on 12 Aug 2020

👍1

We just need to come up with a better way to re-prompt a password. There are a few possibilities:

We have a new non-abstract method on PSHostUserInterface that re-prompts
We use a configuration specific to the ConsoleHostUserInterface to allow it to re-prompt, without affecting other hosts that may also choose to implement it
We decide that re-prompt is above the PSHostUserInterface's level and simply call the relevant prompt method multiple times

(1) provides the most re-use, but is hardest to get right. One way is to provide a new method that re-prompts, itself calling one of the abstract methods, but meaning that commands not targeting PS 7.1 won't be able to re-prompt. Because commands need to call the overridden abstract method directly, we're quite constrained in our options.

(2) is essentially a bad implementation of (1), so is probably not the right way to go.

(3) is another possibility, which means we're more free to implement what we like, but means that other hosts (particularly the PowerShell extension for VSCode) won't get this improvement.

rjmholt on 12 Aug 2020

I am new and first time contributor, can i try ?

RathiJ on 31 Aug 2020

@RathiJ Yes. Please read the issue history because we had a compatibility problems with "right" implementation.

iSazonov on 31 Aug 2020

@iSazonov , Thank you , can you please assign this bug for me?, I read threads above , got some history of it. I am working on it. Thanks again.

RathiJ on 7 Sep 2020

@RathiJ GitHub does not allow explicitly assign an issue for non-members but feel free to work on the issue.

iSazonov on 7 Sep 2020

sure , thank you

RathiJ on 8 Sep 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Format-Hex should have Count and Offset parameters

rkeithhill · 3Comments

Feature Request: Add conditional colorization to Format-Table command

pcgeek86 · 3Comments

Get-Date -UFormat '' throws an unhelpful exception for an empty string argument

HumanEquivalentUnit · 3Comments

Modify Environment Variables (for example $env:PSModulePath) on Linux

rudolfvesely · 3Comments

New-PSSession error "subsystem request failed on channel 0" when using SSH key authentication

pcgeek86 · 3Comments