Scrambling an Egg: A How-To Guide on Random Password Generation in PowerShell

When you're dealing with large-scale organizations, automation is key. Automation is great! You get fast results, you get consistent results, and you only have to do the really hard work of automating the thing once. If you've ever had to deal with anything at a larger scale, you know exactly what I'm talking about.

One of the things we all need to deal with from time to time are user accounts. They can be a pain to deal with, but ultimately, our colleagues need these accounts to keep the business going. Without the users and their accounts, we don't get paid!

Of course, user accounts need passwords, and passwords should generally be randomized, and computers are notoriously bad at being random. All of those challenges led me to ask the unexpectedly profound question; How do you make a random password in a PowerShell script?

If you hit up The Google, you'll get a lot of "answers" to the question, but I could find really basic flaws in every single one of them. Usually, the problems revolve around the predictability of the character sets being used for any given position in the string. For example, a programmer might need to allow for the creation of an 8 character password with at least one special character in it. In the code, they'll generate 7 completely randomized lowercase characters, and then exactly 1 special character. They'll append that to the end of the string and call that "random"

Here's the rub, it's not random. Every time I know something about your string, the effort it takes me to crack it goes down. Every time it's possible to eliminate some character space out of the total possible list of passwords, the bad guys jobs are easier. In this case, I know that we have 7 random lowercase characters, and 1 character at the end that will always be one of about a dozen special characters. That means I don't have to check AT ALL for the rest of the possible characters in the final character. I know it will always be one of a limited number of options.

Similar issues exist for effectively every other algorithm I found. In some of them, we know how many of each character set is used, or we know where in the string they are located. These problems might seem like very not-at-all-real-world issues, but to somebody with a GPU farm, it's the difference between taking 3 weeks to crack your passwords, or 7 years.

Now, there is a caveat here. I rely on the built-in random number generator in PowerShell; "Get-Random". I am well aware of the fact that computers can't really make random numbers, and the fundamental flaw of building a random password generator on a fundamentally pseudo-random piece of code doesn't escape me. I'm going to ignore that. If you are interested in fixing it, I'm all ears. For my purposes, and probably for yours too, the pseudo-randomness of Get-Random is probably fine. Ok, now on to the code:

function New-RandomizedPassword
{
    [CmdletBinding()]
    param (
        # Number of characters in password, defaults to 8
        [Parameter(Mandatory=$false)]
        [ValidateRange(6, 64)]
        [Int]$PasswordLength = 8,


        # Is at least 1 uppercase character required for password? Defaults to false
        [Parameter(Mandatory = $false)]
        [bool]$RequiresUppercase = $false,


        # Is at least 1 numerical character required for password? Defaults to false
        [Parameter(Mandatory = $false)]
        [bool]$RequiresNumerical = $false,


        # Is at least 1 special character required for password? Defaults to false
        [Parameter(Mandatory = $false)]
        [bool]$RequiresSpecial = $false
    )


    [string]$Password = ""


    if (($RequiresUppercase -eq $true) -and ($RequiresNumerical -eq $true) -and ($RequiresSpecial -eq $true))
    {
        $Password += ((65..90) | Get-Random | ForEach-Object {[char]$_}) # Add an uppercase character
        $Password += ((48..57) | Get-Random | ForEach-Object {[char]$_}) # Add a number
        $Password += ((33..38) + (40..47) + (58..64) | Get-Random | ForEach-Object {[char]$_}) # Add a special character
        $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character


        for($i = 1; $i -le ($PasswordLength - 4); $i++)
        {
            $Password += ((33..38) + (40..47) + (58..64) + (65..90) + (48..57) + (97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    elseif (($RequiresUppercase -eq $true) -and ($RequiresNumerical -eq $true) -and ($RequiresSpecial -eq $false))
    {
        $Password += ((65..90) | Get-Random | ForEach-Object {[char]$_}) # Add an uppercase character
        $Password += ((48..57) | Get-Random | ForEach-Object {[char]$_}) # Add a number
        $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character


        for($i = 1; $i -le ($PasswordLength - 3); $i++)
        {
            $Password += ((65..90) + (48..57) + (97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    elseif (($RequiresUppercase -eq $true) -and ($RequiresNumerical -eq $false) -and ($RequiresSpecial -eq $true))
    {
        $Password += ((65..90) | Get-Random | ForEach-Object {[char]$_}) # Add an uppercase character
        $Password += ((33..38) + (40..47) + (58..64) | Get-Random | ForEach-Object {[char]$_}) # Add a special character
        $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character


        for($i = 1; $i -le ($PasswordLength - 3); $i++)
        {
            $Password += ((33..38) + (40..47) + (58..64) + (65..90) + (97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    elseif (($RequiresUppercase -eq $true) -and ($RequiresNumerical -eq $false) -and ($RequiresSpecial -eq $false))
    {
        $Password += ((65..90) | Get-Random | ForEach-Object {[char]$_}) # Add an uppercase character
        $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character


        for($i = 1; $i -le ($PasswordLength - 2); $i++)
        {
            $Password += ((65..90) + (97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    elseif (($RequiresUppercase -eq $false) -and ($RequiresNumerical -eq $true) -and ($RequiresSpecial -eq $true))
    {
        $Password += ((48..57) | Get-Random | ForEach-Object {[char]$_}) # Add a number
        $Password += ((33..38) + (40..47) + (58..64) | Get-Random | ForEach-Object {[char]$_}) # Add a special character
        $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character


        for($i = 1; $i -le ($PasswordLength - 3); $i++)
        {
            $Password += ((33..38) + (40..47) + (58..64) + (48..57) + (97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    elseif (($RequiresUppercase -eq $false) -and ($RequiresNumerical -eq $true) -and ($RequiresSpecial -eq $false))
    {
        $Password += ((48..57) | Get-Random | ForEach-Object {[char]$_}) # Add a number
        $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character


        for($i = 1; $i -le ($PasswordLength - 2); $i++)
        {
            $Password += ((48..57) + (97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    elseif (($RequiresUppercase -eq $false) -and ($RequiresNumerical -eq $false) -and ($RequiresSpecial -eq $false))
    {
        for($i = 1; $i -le $PasswordLength; $i++)
        {
            $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    elseif (($RequiresUppercase -eq $false) -and ($RequiresNumerical -eq $false) -and ($RequiresSpecial -eq $true))
    {
        $Password += ((33..38) + (40..47) + (58..64) | Get-Random | ForEach-Object {[char]$_}) # Add a special character
        $Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character


        for($i = 1; $i -le ($PasswordLength - 4); $i++)
        {
            $Password += ((33..38) + (40..47) + (58..64) + (97..122) | Get-Random | ForEach-Object {[char]$_})
        }
    }
    $CharacterArray = $Password.ToCharArray()
    $ScrambledCharacterArray = $CharacterArray | Get-Random -Count $CharacterArray.Length
    return -join $ScrambledCharacterArray
}        

One other thing I forgot to mention earlier... I want my password generator to be customizable. I want the user to be able to specify the following pieces of information; the password length, whether there are uppercase, whether there are special, and whether there are numerical. I know that I just pasted 110 lines of code, but I assure you that the actual algorithm isn't that complicated if you study it for a second. I'll break down the components now.

So, effectively what we have here are 4 completely optional parameters, 8 if statements, and some logic to scramble the order of characters at the end. If you call "New-RandomizedPassword" with no parameters at all, you'll get a default of 8 random lowercase characters. If you specify, for example, the "-RequiresUppercase $true" parameter, you'll get a random string which contains at least 1 uppercase character, but possibly more, and at least 1, but possibly more lowercase characters. The characters will be in a completely random order as well. This pattern is true for all of the other parameters too. You can mix and match to meet your unique complexity requirements.

I won't bother covering the parameters any further, they're pretty self explanatory. Instead, I'll start with the if statements. We of course begin with a completely empty string.

[string]$Password = ""        

Depending on which character sets were indicated in the parameters, different if statements will be run. Let's take a look at the first one, where the user has selected all 3 character sets.

What this code does is generates a random number somewhere within the range of the character code of the character set, converts the character code to the actual character, and then stores it in our string.

$Password += ((65..90) | Get-Random | ForEach-Object {[char]$_}) # Add an uppercase character

$Password += ((48..57) | Get-Random | ForEach-Object {[char]$_}) # Add a number

$Password += ((33..38) + (40..47) + (58..64) | Get-Random | ForEach-Object {[char]$_}) # Add a special character

$Password += ((97..122) | Get-Random | ForEach-Object {[char]$_}) # Add a lowercase character        

As you can see, we have 4 lines of code here. Each line adds at least 1 character from each of our 4 character sets (uppercase, lowercase, numerical, and special). There are 6 ranges to deal with, and you can find them documented here: ASCII Character Table

• (65..90) - All uppercase characters
• (48..57) - All numerical characters
• (33..38) + (40..47) + (58..64) - All special characters
• (97..122) - All lowercase characters

So now our string contains at least 1 character from each character sets. However, we still have more characters to fill in. We've only got 4 characters in our string, and we might need a lot more to fill out the rest of the specified password length. For that, we go into the for loop.

for($i = 1; $i -le ($PasswordLength - 4); $i++)
{
      $Password += ((33..38) + (40..47) + (58..64) + (65..90) + (48..57) + (97..122) | Get-Random | ForEach-Object {[char]$_})
}        

All this code does is for each remaining character in the string, add a random character from any of the character sets applicable. So, in this case, since it's the first if statement where all character sets are enabled, it will add a random character from all character sets, and it will do that however many times are left in the PasswordLength parameter. Note that I'm subtracting 4 from the PasswordLength value for the loop. This is because we've already added 1 character from all 4 character sets.

Now, we still know some things about our string. We know that the first character is an uppercase, we know that the second character is numerical, we know that the 3rd character is special, and we know that the 4th character is lowercase. So obviously, we need to fix that.

This little piece of code effectively takes the string we just generated, converts it to a character array, and then scrambles the order of the character array. The return statement then reassembles the character array into a string, and returns it to the function caller.

$CharacterArray = $Password.ToCharArray()
$ScrambledCharacterArray = $CharacterArray | Get-Random -Count $CharacterArray.Length
return -join $ScrambledCharacterArray        

That wraps us up neatly. We now have a string which contains at least 1 of each character set specified, but maybe also more. The characters are all in random order, and a would be attacker would know exactly nothing about the strings our random password generator would spit out based on looking at the algorithm. The string is also of an arbitrary length, somewhere between 6 and 64, based on what the user specified.