Compare two credentials in powershell

Question

I already have my credentials stored in an xml file.

$myCredential=Get-Credential -Message "Enter the credentials."
$myCredential | Out-File "C:\cred.xml"

Now, I have a script that prompts and gets new credential when it is run.

$newCredential= Get-Credential -Message "Enter your credential."

So, how do I check if the newly provided credential is matching with the old credential without decrypting the credentials to human understandable actual plain text?

Answer 1

Here is how to securely compare two SecureString objects without decrypting them:

# Safely compares two SecureString objects without decrypting them.
# Outputs $true if they are equal, or $false otherwise.
function Compare-SecureString {
  param(
    [Security.SecureString]
    $secureString1,

    [Security.SecureString]
    $secureString2
  )
  try {
    $bstr1 = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString1)
    $bstr2 = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString2)
    $length1 = [Runtime.InteropServices.Marshal]::ReadInt32($bstr1,-4)
    $length2 = [Runtime.InteropServices.Marshal]::ReadInt32($bstr2,-4)
    if ( $length1 -ne $length2 ) {
      return $false
    }
    for ( $i = 0; $i -lt $length1; ++$i ) {
      $b1 = [Runtime.InteropServices.Marshal]::ReadByte($bstr1,$i)
      $b2 = [Runtime.InteropServices.Marshal]::ReadByte($bstr2,$i)
      if ( $b1 -ne $b2 ) {
        return $false
      }
    }
    return $true
  }
  finally {
    if ( $bstr1 -ne [IntPtr]::Zero ) {
      [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr1)
    }
    if ( $bstr2 -ne [IntPtr]::Zero ) {
      [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr2)
    }
  }
}

You can use the above function to compare the Password property of two PSCredential objects thus:

$theyMatch = Compare-SecureString $cred1.Password $cred2.Password
if ( $theyMatch ) {
  ...
}