THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Jamie Thomson

This is the blog of Jamie Thomson, a data mangler in London working for Dunnhumby

Prompt for a password with a mask using Powershell

Here’s some code that I absolutely know I’m going to need again in the future, what better place to put it than on my blog!

If you need to prompt the user for a password when using Powershell then you want to make sure that the value types in isn’t visible on the screen. That’s quite easy using the –AsSecureString parameter of the Read-Host cmdlet however its not quite so easy to retrieve the supplied value. The following code shows how to do it:

$response = Read-host "What's your password?" -AsSecureString
$password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($response)

I don’t know of a quick and easy way to format Powershell code for a blog post so here’s a screenshot instead:


I’ve also put this on pastebin:

All credit goes to Paul Williams for his post Converting System.Security.SecureString to String (in PowerShell)


Published Thursday, April 24, 2014 3:58 PM by jamiet
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS



Iain Elder said:

Hey Jamie,

Fabio Pintos wrote about the risks of doing it like this and shows some alternatives.

Your method works, but could be risky because it looks like you don't free the unmanaged memory. The plain string will just be sitting there in memory for the lifetime of your script.

Besides, low-level string handling like that isn't in the spirit of PowerShell :-)

Issues like this make me nervous when I have to handle plain passwords, but for some tasks, like automating SQL Server installs, there's sadly no way around it yet.

When I have to do it I use the Get-Credential cmdlet because it provides a visual prompt. It shows dots instead of password characters and stores the password as a secure string.

If you need to get the plain version, call the GetNetworkCredential method.

The password field of the NetworkCredential is a managed string, so when it goes out of scope it should be cleaned up. I think...

May 11, 2014 7:12 PM

jamiet said:

Hi Iain,

This is great to know, thank you very much. I always tell people that one of the best reasons to blog is that you tend to learn more through the comments - yours is a great example of that.

Thanks for taking the time.


May 12, 2014 3:00 AM

Rich said:

What Iain says is valid but only works in instances in which you are working with credentials that already exist somewhere. If I'm trying to create a user account, say a local account on domain workstations, the credential set does not exist yet, and hence this method cannot be used. Another situation in which this will not work is if you are trying to change local admin passwords on domain computers and avoid using the weak hash provided by group policy preferences. In this example, you have a user name, but the existing password is irrelevant since you will be providing it. In both cases you need to provide an $user and $password variable. In most cases the script will be running from a memory space that is inaccessible to the end user anyway, so the risk is minimal.

January 16, 2015 12:23 PM

Satish Singh said:

Thanks for this post

July 16, 2015 11:29 PM

karun said:

can u please say method to enter enable password in router after  i put password using :-


i mean how to enter enable password after this as i cannot execute command in router without that..

July 29, 2016 1:51 AM

rajorani said:

Hello my Firends! Hope you guys alright, You are all new update news ,word news, food recipe and asia news,live streaming and. health tips,beauty tips.All New Update

May 12, 2017 12:55 PM

Leave a Comment


This Blog


Privacy Statement