
Get a security credential object based on a user name and password.

      Get-Credential [-credential] PSCredential [CommonParameters]

      Get-Credential [[-UserName] String] -Message String

       A user name e.g."User01" or "Domain01\User01"
       When you submit the command, you are prompted for a password.

       Starting in Windows PowerShell 3.0, if you enter a user name without a domain, Get-Credential no longer
       inserts a backslash before the name.

       If you omit this parameter, you are prompted for a user name and a password.

   -Message String
       A message to appear in the authentication prompt.
       This parameter is designed for use in a function or script.
       Use the message to explain to the user why you are requesting credentials and how they will be used.
       (PowerShell 3.0+)

   -UserName String
       A user name. The authentication prompt will then request a password for the user name.
       By default, the user name is blank and the authentication prompt requests both a user name and password.

       When the authentication prompt appears in a dialog box, the user can edit the specified user name.
       However, the user cannot change the user name when the prompt appears at the command line.

       When using this parameter in a shared function or script, consider all possible presentations.
       (PowerShell 3.0+)

When you enter the command, you will be prompted for a password.
If you omit PSCredential, you will be prompted for a user name and a password.

PowerShell can store passwords in 3 different forms:

String - Plain text strings are stored in memory as unsecure plain text and most cmdlets will not accept passwords in this form.

SecureString - This type is encrypted in memory. It uses reversible encryption so the password can be decrypted when needed, but only by the same user principal that encrypted it. [System.Security.SecureString]
A SecureString can be read in from the terminal with Read-Host -AsSecureString

PSCredential - This class is composed of username (string) plus a password (SecureString). This is the type that most cmdlets require for specifying credentials. [System.Management.Automation.PSCredential]

Whenever possible do not ask users for a password, use integrated Windows authentication instead.
Passwords should not be saved to disk or the registry as plain text. Use a plaintext representation of SecureString.


Get a credential and save into a variable:

PS C:\> $ss64Cred = Get-Credential -Message 'Enter a credential for this SS64 demo script'

Use this credential (stored in the variable $ss64Cred) to run a Get-CimInstance command:

PS C:\> Get-CimInstance Win32_DiskDrive -ComputerName Server64 -Credential $ss64Cred

An alternative is to embed the Get-Credential cmdlet in an expression:

PS C:\> Get-CimInstance Win32_DiskDrive -ComputerName Server64 -Credential (Get-Credential Domain01\User64)

Create PSCredentials for the user (user64) with the (SecureString) password held in the variable $sec_password:

$UserName = "Domain\User64"
$Credentials = New-Object System.Management.Automation.PSCredential `
    -ArgumentList $UserName, $sec_password

Display the password from a PSCredential object using the GetNetworkCredential() method:

PS C:\> $PlainPassword = $Credentials.GetNetworkCredential().Password

