PowerShell - Password Generator - How to always include number in string?

Question

I have the following PowerShell script that creates a random string of 15 digits, for use as an Active Directory password.

The trouble is, this works great most of the time, but on some occasions it doesn't use a number or symbol. I just get 15 letters. This is then not usable as an Active Directory password, as it must have at least one number or symbol in it.

$punc = 46..46
$digits = 48..57
$letters = 65..90 + 97..122
$YouShallNotPass = get-random -count 15 `
-input ($punc + $digits + $letters) |
% -begin { $aa = $null } `
-process {$aa += [char]$_} `
-end {$aa}

Write-Host "Password is $YouShallNotPass"

How would I amend the script to always have at least one random number or symbol in it?

Thank you.

Martin Brandl · Accepted Answer · 2016-05-16T15:09:30.867

21

You could invoke the Get-Random cmdlet three times, each time with a different input parameter (punc, digit and letters), concat the result strings and shuffle them using another Get-Random invoke:

 (Get-Random -Count 15 -InputObject ([char[]]$yourPassword)) -join ''

However, why do you want to reinvent the wheel? Consider using the following GeneratePassword function:

[Reflection.Assembly]::LoadWithPartialName("System.Web")
[System.Web.Security.Membership]::GeneratePassword(15,2)

And to ensure, it contains at least one random number (you already specify the number of symbols):

do {
   $pwd = [System.Web.Security.Membership]::GeneratePassword(15,2)
} until ($pwd -match '\d')

edited May 16 '16 at 15:09

answered May 16 '16 at 14:38

Martin Brandl

56,134
13
133
172

2

`[System.Web.Security]` is not on my machine. What do I do? Also, `LoadWithPartialName` is deprecated. Use `[System.Reflection.Assembly]::Load()` instead – Kellen Stuart Oct 27 '17 at 16:22
1

The `(Get-Random -Count 15 -InputObject ([char[]]$yourPassword)) -join ''` variant chooses random values out of the input, but it will never repeat the selection, so e.g. requesting 15 random values from the digits set (10 digits) will return those 10 digits in random order, not 15. – Hilarion Oct 11 '19 at 02:22

iRon · Answer 2 · 2022-05-27T15:03:31.167

As suggested by jisaak, there is no 100% guaranty that the Membership.GeneratePassword Method generates a password that meets the AD complexity requirements.

That's why I reinvented the wheel:

Function Create-String([Int]$Size = 8, [Char[]]$CharSets = "ULNS", [Char[]]$Exclude) {
    $Chars = @(); $TokenSet = @()
    If (!$TokenSets) {$Global:TokenSets = @{
        U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'                                #Upper case
        L = [Char[]]'abcdefghijklmnopqrstuvwxyz'                                #Lower case
        N = [Char[]]'0123456789'                                                #Numerals
        S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~'                         #Symbols
    }}
    $CharSets | ForEach {
        $Tokens = $TokenSets."$_" | ForEach {If ($Exclude -cNotContains $_) {$_}}
        If ($Tokens) {
            $TokensSet += $Tokens
            If ($_ -cle [Char]"Z") {$Chars += $Tokens | Get-Random}             #Character sets defined in upper case are mandatory
        }
    }
    While ($Chars.Count -lt $Size) {$Chars += $TokensSet | Get-Random}
    ($Chars | Sort-Object {Get-Random}) -Join ""                                #Mix the (mandatory) characters and output string
}; Set-Alias Create-Password Create-String -Description "Generate a random string (password)"

Usage:

The Size parameter defines the length of the password.
The CharSets parameter defines the complexity where the character U, L, N and S stands for Uppercase, Lowercase, Numerals and Symbols. If supplied in lowercase (u, l, n or s) the returned string might contain any of character in the concerned character set, If supplied in uppercase (U, L, N or S) the returned string will contain at least one of the characters in the concerned character set.
The Exclude parameter lets you exclude specific characters that might e.g. lead to confusion like an alphanumeric O and a numeric 0 (zero).

Examples:

To create a password with a length of 8 characters that might contain any uppercase characters, lowercase characters and numbers:

Create-Password 8 uln

To create a password with a length of 12 characters that that contains at least one uppercase character, one lowercase character, one number and one symbol and does not contain the characters OLIoli01:

Create-Password 12 ULNS "OLIoli01"

For the latest New-Password version: use:

Install-Script -Name PowerSnippets.New-Password

Why do you statically define `A-Z`? Just do a loop that goes through the ASCII range — Kellen Stuart, Oct 27 '17 at 16:24
I agree, I could have done something like `U = 65..90 | % {[Char]$_}` but I guess that I didn't do this because the symbols are not in order and I wanted it to be consistent. — iRon, Oct 27 '17 at 16:50

score 2 · Answer 3 · edited Nov 12 '18 at 10:31

2

Command to Generate Random passwords by using existing funciton:

[system.web.security.membership]::GeneratePassword(x,y)

x = Length of the password
y = Complexity

General Error:

Unable to find type [system.web.security.membership]. Make sure that the assembly that contains this type is loaded.

Solution:

Run the below command:

Add-Type -AssemblyName System.web;

edited Nov 12 '18 at 10:31

Rajeev Atmakuri

888
1
10
22

answered Nov 12 '18 at 07:20

sameervsarma

37
5

The "complexity" argument isn't complexity. It's the number of non-alphabetic characters. See: https://learn.microsoft.com/en-us/dotnet/api/system.web.security.membership.generatepassword?view=netframework-4.7.2 – Jari Turkia Feb 14 '19 at 11:26

score 0 · Answer 4 · answered Nov 10 '18 at 18:53

Another solution:

function New-Password() {
    param(
        [int] $Length = 10,
        [bool] $Upper = $true,
        [bool] $Lower = $true,
        [bool] $Numeric = $true,
        [string] $Special
    )

    $upperChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    $lowerChars = "abcdefghijklmnopqrstuvwxyz"
    $numericChars = "0123456789"

    $all = ""
    if ($Upper) { $all = "$all$upperChars" }
    if ($Lower) { $all = "$all$lowerChars" }
    if ($Numeric) { $all = "$all$numericChars" }
    if ($Special -and ($special.Length -gt 0)) { $all = "$all$Special" }

    $password = ""
    for ($i = 0; $i -lt $Length; $i++) {
        Write-Host "password: [$password]"
        $password = $password + $all[$(Get-Random -Minimum 0 -Maximum $all.Length)]
    }

    $valid = $true
    if ($Upper -and ($password.IndexOfAny($upperChars.ToCharArray()) -eq -1)) { $valid = $false }
    if ($Lower -and ($password.IndexOfAny($lowerChars.ToCharArray()) -eq -1)) { $valid = $false }
    if ($Numeric -and ($password.IndexOfAny($numericChars.ToCharArray()) -eq -1)) { $valid = $false }
    if ($Special -and $Special.Length -gt 1 -and ($password.IndexOfAny($Special.ToCharArray()) -eq -1)) { $valid = $false }

    if (-not $valid) {
        $password = New-Password `
            -Length $Length `
            -Upper $Upper `
            -Lower $Lower `
            -Numeric $Numeric `
            -Special $Special
    }

    return $password
}

Flexible enough to set length, turn on/of upper, lower, and numeric, and set the list of specials.

score 0 · Answer 5 · edited May 19 '20 at 04:25

0

I had the same issue here is the snippet I used to create my alphanumerical password its simple all I have done is used ASCII regex replace to make it nice.

Function Password-Generator ([int]$Length)
{
    # Generate passwords just call password-generator(lenght of password)
    $Assembly = Add-Type -AssemblyName System.Web
    $RandomComplexPassword = [System.Web.Security.Membership]::GeneratePassword($Length,2)
    $AlphaNumericalPassword = $RandomComplexPassword -replace '[^\x30-\x39\x41-\x5A\x61-\x7A]+'
    Write-Output $AlphaNumericalPassword
}

edited May 19 '20 at 04:25

OutOfThisPlanet

336
3
17

answered Feb 20 '19 at 10:35

PhiCipher

1

1

The problem with this method is the "Length" of the output is never the value that was the input, because of the "Replace" step. – OutOfThisPlanet May 18 '20 at 15:53

Hilarion · Answer 6 · 2019-10-11T03:06:56.997

My take on generating passwords in PowerShell, based on what I've found here and in the Internets:

#Requires -Version 4.0
[CmdletBinding(PositionalBinding=$false)]
param (
    [Parameter(
        Mandatory = $false,
        HelpMessage = "Minimum password length"
    )]
    [ValidateRange(1,[int]::MaxValue)]
    [int]$MinimumLength = 24,

    [Parameter(
        Mandatory = $false,
        HelpMessage = "Maximum password length"
    )]
    [ValidateRange(1,[int]::MaxValue)]
    [int]$MaximumLength = 42,

    [Parameter(
        Mandatory = $false,
        HelpMessage = "Characters which can be used in the password"
    )]
    [ValidateNotNullOrEmpty()]
    [string]$Characters = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@#%*-_+:,.'
)

(1..(Get-Random -Minimum $MinimumLength -Maximum $MaximumLength) `
| %{ `
    $Characters.GetEnumerator() | Get-Random `
}) -join ''

I preferred this over using System.Web, not to introduce dependencies, which could change with .Net / .Net Core versions.
My variation also allows random password length (in specified range), is fairly concise (apart from the parameters section, which is quite verbose, to enforce some validations and provide defaults) and allows character repetitions (as opposite to the code in the question, which never repeats the same character).

I understand, that this does not guarantee a digit in the password. This however can be addressed in different ways. E.g. as was suggested, to repeat the generation until the password matches the requirements (contains a digit). My take would be:

Generate a random password.
If it does not contain a digit (or always):
- Use a random function to get 1 random digit.
- Add it to the random password.
- Randomize the order of the result (so the digit is not necessarily always at the end).

Assuming, that the above script would be named "Get-RandomPassword.ps1", it could look like this:

$pass = .\Get-RandomPassword.ps1
$pass += (0..9 | Get-Random)
$pass = (($pass.GetEnumerator() | Get-Random -Count $pass.Length) -join '')
Write-Output $pass

This can be generalized, to enforce using any character category:

$sets = @('abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789', '()-_=+[{]};:''",<.>/?`~')
$pass = .\Get-RandomPassword.ps1 -Characters ($sets -join '')
foreach ($set in $sets) {
    $pass += ($set.GetEnumerator() | Get-Random)
}
$pass = (($pass.GetEnumerator() | Get-Random -Count $pass.Length) -join '')
Write-Output $pass

OutOfThisPlanet · Answer 7 · 2020-05-18T10:31:49.247

I wrote a secure password generator function in PowerShell, maybe this will be useful to someone.

Similar to the accepted answer, this script also uses Get-Random (twice), and also regular expression matching to ensure the output is secure. The difference in this script is that the password length can also be randomised.

(To hard set a password length, just set the MinimumPasswordLength and MaximumPasswordLength values to the the same length.)

It also allows an easy to edit character set, and also has a regex to ensure a decent password has been generated with all of the following characteristics:

(?=.*\d) must contain at least one numerical character

(?=.*[a-z]) must contain at least one lowercase character

(?=.*[A-Z]) must contain at least one uppercase character

(?=.*\W) must contain at least one non-word character

The answer to your question about always including a number in your generated output can be solved by checking the output with a regex match (just use the parts of the regex that you need, based on the explanations above), the example here checks for uppercase, lowercase, and numerical:

$Regex = "(?=.*\d)(?=.*[a-z])(?=.*[A-Z])"

do {
        $Password = ([string]($AllowedPasswordCharacters |
        Get-Random -Count $PasswordLength) -replace ' ')
    }    until ($Password -cmatch $Regex)

$Password

Here is the full script:

Function GeneratePassword
{
    cls
    $MinimumPasswordLength = 12
    $MaximumPasswordLength = 16
    $PasswordLength = Get-Random -InputObject ($MinimumPasswordLength..$MaximumPasswordLength)
    $AllowedPasswordCharacters = [char[]]'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!?@#£$%^&'
    $Regex = "(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)"

    do {
            $Password = ([string]($AllowedPasswordCharacters |
            Get-Random -Count $PasswordLength) -replace ' ')
       }    until ($Password -cmatch $Regex)

    $Password

}

GeneratePassword

score 0 · Answer 8 · edited Sep 10 '20 at 07:22

0

I've created this. You can choose how many Pwd to create

$howoften = Read-Host "How many would you like to create: "
$i = 0
do{
    (-join(1..42 | ForEach {((65..90)+(97..122)+(".") | % {[char]$_})+(0..9)+(".") | Get-Random}))
    $i++
} until ($i -match $howoften)

To change the length of the pwd simply edit the "42" in line 4

(-join(1..**42** | ForEach ...

edited Sep 10 '20 at 07:22

David Buck

3,752
35
31
35

answered Sep 10 '20 at 06:56

Sebi

1
1

PowerShell - Password Generator - How to always include number in string?

8 Answers8

Linked