UPDATE 2015-01-04: I’ve updated the script on Technet Gallery: https://gallery.technet.microsoft.com/Generate-a-random-and-5c879ed5
Drastically improved performance and randomization logic.
When provisioning new users to Active Directory we need to provide a new password and of course we want to generate a random password.
This is my thoughts and three methods for generating passwords, the first two quite simple and straightforward and the third method a little bit more complex and definitely the one I recommend.
It’s quite easy to pipe a bunch of chars to Get-Random to get a somewhat random password like this:
The problem with this approach is that we can not guarantee that the password will be accepted by AD as complex enough since it could return a password containing only lowercase letters a-z.
Another way would be using the .NET class System.Web.Security.Membership by calling the method GeneratePassword like this:
This method takes two parameters, length and minimum number of non-alphanumeric characters. In the example above it will generate a password with 8 characters containing at least 2 non-alphanumeric characters. This is a bit closer to passing the AD requirements, at least now we can be sure to get chars from at least two types, alpha numeric and non-alphanumeric, but on rare occasions it will not fulfill the requirement of chars from at least three of five categories.
This method will work good enough as long as there is a manual check that the password generated fulfills the requirements of the organization but when automating password generation for example when doing automated provisioning it just isn’t enough so I wrote a PowerShell function to generate random and complex passwords described in Method 3.
I wrote a function to generate a number of random passwords that will be complex enough for Active Directory.
The functions can be run in two ways, either using the parameter -PasswordLength to set a fixed password length or using the parameters -MinPasswordLength and -MaxPasswordLength to use a random length.
Both ways takes the parameters -Count and -InputStrings. -Count specifies how many passwords to generate and -InputStrings specifies a list of strings defining which chars to use for password generation. Each generated password will contain atleast one char from each string (as long as PasswordLength => number of strings).
I also use the class System.Security.Cryptography.RNGCryptoServiceProvider to randomize randomization making the password a little more secure.
The parameters have the following default values:
InputStrings: @(‘abcdefghijkmnopqrstuvwxyz’, ‘ABCEFGHJKLMNPQRSTUVWXYZ’, ‘23456789’, ‘!”#%&’)
Meaning that just running the command New-SWRandomPassword will generate a new password of a length of 8 characters containing both lowercase, uppercase, numeric and non-alphanumeric characters.
The script is available at the Technet Gallery.