How to hide a password in a script

Disclaimer: this is not secure. If you want secure, you need to encode the password as a secure string in a supporting file. This is for when you have to have the password in the script, but you want to hide it in plain sight.

The trick: obfuscation.

First off, go to http://home2.paulschou.net/tools/xlate/, put your password in the TEXT field, and get the HEX values. If your password is “Password”, the HEX will be 50 61 73 73 77 6f 72 64

Next, generate a very long string of random characters to use. I use my Generate-Password function to make a 48 character password of every printable character (with the Consolas font, anyway) in the standard ASCII set:

$charSet = [string]::Join("", (((33..126)+(161..255)) | %{[char]$_}))
Generate-Password -Length 48 -Chars $charSet

This leaves me with something like Ý×ôg’ÐÚ®ÉFS)ÉAÓ<ɨc¦TÊiÝبü*T&½Â{íÏÄüïN¾m!bhm0¦

Next, we need to combine these together. In your random string, find a place where there are no lower-case hexadecimal characters for the length of your password +1. In this case, it’s the string ®ÉFS)ÉA. It can be anywhere in your string; it just has to be clean. After the first character of the selected substring, enter your first Hex character pair (50 in this case.) Skip a character, enter the next one, and so on. When you are done, you should have a combined string like Ý×ôg’ÐÚ50®61É73F73S77)6fÉ72A64Ó<ɨc¦TÊiÝبü*T&½Â{íÏÄüïN¾m!bhm0¦

Note: I picked 48 characters because my 8 char password produces 16 hex chars, making a nice 64-digit block of seemingly-meaningless text. The whole point is to add as many layers of obfuscation as possible; even someone counting characters could be led nicely off-track for a while.

Now that you have this nice ridiculous string, assign it to a variable with a misdirecting name:

$Temp2 = "Ý×ôg'ÐÚ50®61É73F73S77)6fÉ72A64Ó<ɨc¦TÊiÝبü*T&½Â{íÏÄüïN¾m!bhm0¦"

It helps to also do the same for the username called $temp3, and maybe one or two that won’t be used.

Now that you have a nicely encoded, obfuscated password, you just need the script to be able to decode it. Run:

($Temp2 -creplace "[^0-9a-f]","#").Split("#")

Note the use of -creplace instead of -replace; case-sensitive regex really matters here. You should get a whole bunch of blank lines, with perhaps a few single Hex characters, and somewhere in the middle, your Hex string doubles. What we did was find all the characters that did not match 0..9 or a..f and replace them with a character, then split the string into an array on that character. I picked the Hash because it has meaning in PoSH, but we are not using that meaning in this context, thus providing further obfuscation.

Now count your way to the first pair of your set (remember to start at 0) and the last pair. In my example case, it’s 8 and 15. Now, add a few lines to the end of your previous string:

($Temp2 -creplace "[^0-9a-f]","#").Split("#")[8..15]

If you did it right, you just got your original Hex string, only as an array instead of a string separated by spaces. We’re just narrowing to only those members of the array.

We’re almost there. To get the password back, we need to convert each of these hex pairs into an ASCII character, and then change this array of ASCII characters into a single string.

[string]::join("", (($Temp2 -creplace "[^0-9a-f]","#").Split("#")[8..15] | %{[convert]::ToInt32($_, 16)} | %{[char]$_}))

The [convert] portion of the pipeline converts the Hex (aka Base16) characters to Int32. The [char] portion converts the integers to their ASCII equivalents. And the whole pipeline is contained in parentheses within the [string]::Join command, which joins the array as a string. The output is the password we originally encoded.

Can this be decoded? Yes. Easily? No. Few have the knowledge, nor the patience to track backwards through this morass to figure out what the password is. When paired with an account with permissions only to the very narrowest possible resources needed to run the script, this will work as a “secure enough, good enough” sort of free solution.

Generate-Password

I generate random passwords a lot. Anytime I need a service account, or when creating new user accounts, I need a random password to use. But I don’t want it to be too random, lest I confuse 1, l, and I because of some font variant somewhere. The natural result: a function!

function Generate-Password {
	Param (
		[int]$Length = 8,
		[string]$Chars = "ABCDEFGHJKMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz23456789",
		[switch]$Help
		)

	If ($Help) {
		Write-Host -f yellow @"
PURPOSE:
  Generate random password of a specific type
USAGE:
  Generate-Password [[-Length] <int>] [-Chars <string>]
  Defaults to 8 characters long. Specify [-Length] characters if needed.
  Defaults to all upper & lowercase letters and numbers, except confusable ones like
    0,O,1,l, etc. Specify your own [-Chars] as needed.
EXAMPLE:
  Generate-Password 25 "§©ª«À¿¾æñ¶¤¨«®±µð÷"
  Make a 25 character password of untypeable characters.
"@
		break
		}

	$random = New-Object random
	$result = ""
	for ($i=0; $i -lt $length; $i++) {
		$result += $chars[$random.Next(0,$chars.Length)]
		}
	
$result
	}

It’s actually a very simple thing, but I use it almost daily, and sometimes for unexpected things. Need a large string to play with for testing? Generate a 1024 character password, or 128 eight-character ones. Want a huge password of untypeable characters? Here’s one for every character from [CHAR]0 to [CHAR]255 that prints using the Consolas font:

Generate-Password -Length 50 -Chars [string]::Join("", (((33..126)+(161..255)) | %{[char]$_}))

I keep this in a Functions.ps1 file that can be called by all my scripts, so it is available any time I need randomized characters.

42.105874 -84.248282