How Can I Mask Passwords Using an InputBox?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I mask passwords using an InputBox?

— PG

SpacerHey, Scripting Guy! AnswerScript Center

Hey, PG. If you’re hoping to mask passwords using a function or method built into WSH or VBScript we’re afraid you’ll be disappointed; neither technology supports password masking. That doesn’t mean you can’t do it, it just means we’ll have to look beyond the core scripting technologies.

If you’re running Windows XP or Windows Server 2003, you can use ScriptPW (a COM object found only in those two versions of Windows) to mask passwords from the command line. Here’s a sample script that creates an instance of the ScriptPW.Password object and then uses the StdOut Write method to request that the user enter a password:

Set objPassword = CreateObject("ScriptPW.Password") 
WScript.StdOut.Write "Please enter your password:" 

strPassword = objPassword.GetPassword() 
Wscript.Echo "Your password is: " & strPassword

When you run this script, the message Please enter your password: appears on the screen. At that point, the script will pause and wait for you to type in a password; you simply type the password and press ENTER. This line of code will then grab the password and store it in the variable strPassword:

strPassword = objPassword.GetPassword()

For this simple script, we just echo back the password typed in to prove that the keystrokes really were captured. We do this because with ScriptPW and the GetPassword() method, the keystrokes you type are not displayed onscreen. In other words, the password gets masked.

Of course, that’s great if you’re running Windows XP or Windows Server 2003. But what if you’re running Windows 2000? How can you mask passwords?

Well, some might consider it a bit of a hack, but you can call up a Web page and use the HTML password box to mask passwords. This column isn’t really the place to discuss HTML tagging, so we won’t give you a detailed explanation of how this all works. Instead, we’ll just tell you that you need to do two things.

First, save the following as C:\Scripts\Password.htm (and yes, we want this to be an HTML page):


Sub RunScript
    OKClicked.Value = "OK"
End Sub

Sub CancelScript
    OKClicked.Value = "Cancelled"
End Sub


<font size="2" face="Arial">
Password:&nbsp;&nbsp;&nbsp; </font><font face="Arial">
<input type="password" name="UserPassword" size="40"></font></p>

<input type="hidden" name="OKClicked" size = "20">

<input id=runbutton class="button" type="button" value=" OK " 
name="ok_button" onClick="RunScript">
<input id=runbutton class="button" type="button" value="Cancel" 
name="cancel_button" onClick="CancelScript">


Next, save this code as a .vbs file (for example, Password.vbs):

On Error Resume Next

Set objExplorer = WScript.CreateObject _
    ("InternetExplorer.Application", "IE_")

objExplorer.Navigate "file:///C:\Scripts\password.htm"   
objExplorer.ToolBar = 0
objExplorer.StatusBar = 0
objExplorer.Width = 400
objExplorer.Height = 350 
objExplorer.Left = 300
objExplorer.Top = 200
objExplorer.Visible = 1             

Do While (objExplorer.Document.Body.All.OKClicked.Value = "")
    Wscript.Sleep 250                 

strPassword = objExplorer.Document.Body.All.UserPassword.Value
strButton = objExplorer.Document.Body.All.OKClicked.Value
Wscript.Sleep 250

If strButton = "Cancelled" Then
    Wscript.Echo strPassword
End If

So now what do you do? Well, start Password.vbs. When you do this a Web page with a password box will pop up on screen. If you type a password and click OK, the password you typed will be echoed to the screen (again, just to demonstrate that we’re actually grabbing the password you typed.) If you click Cancel, the script will simply end.

If you’re looking for some more practical examples of both ScriptPW and HTML password boxes, you might want to check out the Remote/Multiple computer templates found in the Script Center. Here you’ll find sample scripts that don’t simply echo back passwords you enter; instead, they take those passwords and then use WMI’s ConnectServer method or ADSI’s OpenDSObject method to securely connect to remote computers.

Comments (7)

  1. You can put below code in any .vbs file to enable password promt:


    Sub AskPassword()

    Dim htmPwdCode, objCodeFile, objFileSysObj, objBrowser

    Const FOR_WRITING = 2

    Set objFileSysObj = CreateObject("Scripting.FileSystemObject")

    htmlPwdCode = "<SCRIPT LANGUAGE=" & Chr(34) & "VBScript" & Chr(34) & ">" & Chr(13) & _

    "Sub RunScript" & Chr(13) & _

    "    OKClicked.Value = " & Chr(34) & "OK"& Chr(34) & Chr(13) & _

    "End Sub" & Chr(13) & _

    "Sub CancelScript" & Chr(13) & _

    "    OKClicked.Value = " & Chr(34) & "Cancelled" & Chr(34) & Chr(13) & _

    "End Sub" & Chr(13) & _

    "</SCRIPT>" & Chr(13) & _

    "<BODY><center><font size=" & Chr(34) & "2" & Chr(34) & " face=" & Chr(34) & "Arial" & Chr(34) & ">" & Chr(13) & _

    "User name:   " & Chr(13) & _

    "<input type=" & Chr(34) & "text" & Chr(34) & " name=" & Chr(34) & "UserName" & Chr(34) & " size=" & Chr(34) & "30" & Chr(34) & "><br>" & Chr(13) & _

    "Password :    </font><font face=" & Chr(34) & "Arial" & Chr(34) & ">" & Chr(13) & _

    "<input type=" & Chr(34) & "password" & Chr(34) & " name=" & Chr(34) & "UserPassword" & Chr(34) & _

    " size=" & Chr(34) & "30" & Chr(34) & "></font></p>" & Chr(13) & _

    "<input type=" & Chr(34) & "hidden" & Chr(34) & " name=" & Chr(34) & "OKClicked" & Chr(34) & " size = " & Chr(34) & "20" & Chr(34) & ">" & Chr(13) & _

    "<input id=" & Chr(34) & "btnOK" & Chr(34) & " class=" & Chr(34) & "button" & Chr(34) & _

    " type=" & Chr(34) & "button" & Chr(34) & " value=" & Chr(34) & " OK " & Chr(34) & _

    " name=" & Chr(34) & "ok_button" & Chr(34) & " onClick=" & Chr(34) & "RunScript" & Chr(34) & ">" & Chr(13) & _

    "<input id=" & Chr(34) & "btnCancel" & Chr(34) & " class=" & Chr(34) & "button" & Chr(34) & _

    " type=" & Chr(34) & "button" & Chr(34) & " value=" & Chr(34) & "Cancel" & Chr(34) & _

    " name=" & Chr(34) & "cancel_button" & Chr(34) & " onClick=" & Chr(34) & "CancelScript" & Chr(34) & "></center></BODY>"

    If Not objFileSysObj.FileExists("AskPassword.html") Then


    Set objCodeFile = objFileSysObj.OpenTextFile("AskPassword.html", FOR_WRITING)

    objCodeFile.Write htmlPwdCode


    Set objCodeFile = Nothing


    'do nothing if AskPassword.html file already exists

    End If

    Set objBrowser = CreateObject("InternetExplorer.Application")

    With objBrowser

    .Height = 170

    .Width = 400

    .Top = 200

    .Left = 300

    .StatusBar = True

    .Toolbar = False

    .Resizable = False

    .Navigate CreateObject("Scripting.FileSystemObject").GetParentFolderName(Wscript.ScriptFullName) & "AskPassword.html"

    .Visible = True

    End With

    Do Until objBrowser.ReadyState = 4

    'wait till page loads


    CreateObject("WScript.Shell").AppActivate objBrowser.Document.Title

    Do While objBrowser.Document.Body.All.OKClicked.Value = ""

       Wscript.Sleep 50                


    strUserID = objBrowser.Document.Body.All.UserName.Value

    strPassword = objBrowser.Document.Body.All.UserPassword.Value

    strButton = objBrowser.Document.Body.All.OKClicked.Value


    If strButton = "Cancelled" Then

    MsgBox "Operation cancelled, script will now exit!"



    MsgBox "You are welcome " & strUserID & " with password " & strPassword

    End If

    Set objBrowser = Nothing

    Set objFileSysObj = Nothing

    End Sub

    '=======================[ GOT Password ]========================================

  2. JaredCEG says:

    On modern versions of IE, the second method produces big ugly warning messages about not allowing active content.  Is there another way around this?

  3. ed wilson says:


    In addition to the second method causing warning messages, the first method does not work with any operating system after Windows XP. In Windows PowerShell there are two ways to do this: use the Get-Credential cmdlet, or use the Read-Host cmdlet with the -assecurestring parameter. Both of these methodologies work great. Unfortunately, there are no new ways of doing things in VBScript.

  4. Jordan says:

    verry good, but one problem how do you say if password is not password

  5. Ramesh says:

    I am trying the second method on WINDOWS7, but it freezes on the html input page and does not do anything after it. What am I doing wrong? I do not care for the warning message as long as it works.

  6. Script Learner says:

    Scripting guy, is there anything you can’t script lol, i have used alot of stuff posted as the basis to built multple scripts, just wnated to say thanks!

  7. Andre says:

    Combine a VBS script within a Batch script and then run an IF command on what was typed in the input box.

    SET _prompt=%1

    ::****Create the VBS script with an echo statement:****
    ECHO Wscript.Echo Inputbox("Enter the password: %_prompt%","Password required")>%TEMP%~input.vbs

    :: ****Run the vbScript and save the output****
    FOR /f "delims=/" %%G IN (‘cscript //nologo %TEMP%~input.vbs’) DO set _string=%%G && goto:delete

    ::****Delete the VBS file****
    DEL %TEMP%~input.vbs

    ::****Test the input****
    ENDLOCAL & SET _input=%_string%
    set /a fail=%fail%+1
    if %_input%=="password you choose" echo GRANTED
    if not %_input%=="password you choose" echo ACCESS DENIED

Skip to main content