Creating an individual random password with PowerShell

Passwords have always been a popular topic for discussion in IT security. What are the guidelines? Which characters have to be included? How often do you have to change it? What about the procedure if you forget your password?

PowerShell lends itself well to the generation of individual random passwords. You have the ability to use the password script to manage users in Active Directory.

Generating passwords – Reasons

You almost always need an initial password. Be it for a new user in the network or to reset a forgotten password. Either way you have to assign a randomly generated password which the user can use to login temporarily.

However, this is easier said than done. In reality it cannot be a simple random password because it usually has to conform to the domain password policy. This can be difficult if you do not have a suitable application in place that generates passwords according to those policies. However, you can solve this easily yourself with PowerShell. It allows you to create secure passwords automatically with a customized script.

Therefore, this article will show you how to write a script that helps you to create passwords which comply with your security policies. Moreover, it will allow for simple adjustments if the policies are changing.

To create a password, we need to follow two steps.

Step 1: Random signs for your secure random passwords

First, you generate a string which randomly contains the relevant characters according to your definition. In order to keep it as generic as possible you need a function that knows how many characters are required and from which set of characters to choose them randomly.

So the function looks like this: 

The function randomly selects indices from the transmitted string until it reaches the defined number of characters. Afterwards, the function returns the characters of the input string at the randomly selected indices as a format-string (without spaces in between). Now you can build a random password string with this function. Depending on the pre-defined rules, you call the function with a certain set of characters and a certain length. Finally, you combine the results to create the initial password string.

The password policy could be as follows:

• Minimum 8 characters
• Minimum 1 of those is in upper case.
• At least 1 of those is a number.
• Minimum 1 of those is a special character.
• The rest is in lower case.

In summary, this is how you build the string:

Step 2: Random order

Now you are ready to use the password, but there are still some issues that need to be considered. The problem is that every password will always have the characters at the same position in the string, even though every password would be random. In our example above this would mean: always five lower case letters, one upper case, one number and finally one special character. Potential hackers may recognize the patterns behind the passwords. This would make a brute force attack easier. Hence you should mix the characters of the password again.

For this you will need another function.
It takes the random password and mixes the order of characters:.

To recap, this function solely transforms the password into CharacterArrey, reads the characters and rewrites them in a new CharacterArrey with a different order. By using a simple “Join” you retransform it into a string. Now you have a secure random password.

In addition, if you display the string after the execution of the function you can see how the script works: 

Standard AD user administration: Password script used in FirstWare IDM-Portal

The script, as shown above or similar, is used quite often in our FirstWare IDM-Portal. With the IDM-Portal you can manage users in your Active Directory fast and efficiently, and also automate many processes.  

Customize user administration with PowerShell scripts

In order to improve AD user administration the IDM-Portal provides an interface, the PowerShell provider, for PS-scripts like the one described above. It allows you to use individual scripts in the IDM-Portal, e.g. to create random passwords.

Script changes and delegated administration

In the situation where password policy changes there is a simple way to quickly update. With a minor change in the script it will work immediately without any further configuration effort required for all users of the IDM-Portal.

You may ask yourself how it will affect colleagues who fulfill delegated Active Directory tasks in the IDM-Portal?

There is no change for non-IT-employees who have administrative rights. As an example, if HR creates a new user in AD via IDM-Portal, the changed version of the “random password script” will be loaded automatically.

Complete script: Random password with PowerShell

Finally, here is the complete script. Feel free to copy it and try yourself:.