PowerShell - Password Generator - How to always include number in string?

Question

I have the following PowerShell script that creates a random string of 15 digits, for use as an Active Directory password.

The trouble is, this works great most of t

Answer 1

My take on generating passwords in PowerShell, based on what I've found here and in the Internets:

#Requires -Version 4.0
[CmdletBinding(PositionalBinding=$false)]
param (
    [Parameter(
        Mandatory = $false,
        HelpMessage = "Minimum password length"
    )]
    [ValidateRange(1,[int]::MaxValue)]
    [int]$MinimumLength = 24,

    [Parameter(
        Mandatory = $false,
        HelpMessage = "Maximum password length"
    )]
    [ValidateRange(1,[int]::MaxValue)]
    [int]$MaximumLength = 42,

    [Parameter(
        Mandatory = $false,
        HelpMessage = "Characters which can be used in the password"
    )]
    [ValidateNotNullOrEmpty()]
    [string]$Characters = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@#%*-_+:,.'
)

(1..(Get-Random -Minimum $MinimumLength -Maximum $MaximumLength) `
| %{ `
    $Characters.GetEnumerator() | Get-Random `
}) -join ''

I preferred this over using System.Web, not to introduce dependencies, which could change with .Net / .Net Core versions.
My variation also allows random password length (in specified range), is fairly concise (apart from the parameters section, which is quite verbose, to enforce some validations and provide defaults) and allows character repetitions (as opposite to the code in the question, which never repeats the same character).

I understand, that this does not guarantee a digit in the password. This however can be addressed in different ways. E.g. as was suggested, to repeat the generation until the password matches the requirements (contains a digit). My take would be:

• Generate a random password.
• If it does not contain a digit (or always):
  • Use a random function to get 1 random digit.
  • Add it to the random password.
  • Randomize the order of the result (so the digit is not necessarily always at the end).

Assuming, that the above script would be named "Get-RandomPassword.ps1", it could look like this:

$pass = .\Get-RandomPassword.ps1
$pass += (0..9 | Get-Random)
$pass = (($pass.GetEnumerator() | Get-Random -Count $pass.Length) -join '')
Write-Output $pass

This can be generalized, to enforce using any character category:

$sets = @('abcdefghijklmnopqrstuvwxyz', 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789', '()-_=+[{]};:''",<.>/?`~')
$pass = .\Get-RandomPassword.ps1 -Characters ($sets -join '')
foreach ($set in $sets) {
    $pass += ($set.GetEnumerator() | Get-Random)
}
$pass = (($pass.GetEnumerator() | Get-Random -Count $pass.Length) -join '')
Write-Output $pass

Answer 2

I wrote a secure password generator function in PowerShell, maybe this will be useful to someone.

Similar to the accepted answer, this script also uses Get-Random (twice), and also regular expression matching to ensure the output is secure. The difference in this script is that the password length can also be randomised.

(To hard set a password length, just set the MinimumPasswordLength and MaximumPasswordLength values to the the same length.)

It also allows an easy to edit character set, and also has a regex to ensure a decent password has been generated with all of the following characteristics:

(?=.*\d) must contain at least one numerical character

(?=.*[a-z]) must contain at least one lowercase character

(?=.*[A-Z]) must contain at least one uppercase character

(?=.*\W) must contain at least one non-word character

The answer to your question about always including a number in your generated output can be solved by checking the output with a regex match (just use the parts of the regex that you need, based on the explanations above), the example here checks for uppercase, lowercase, and numerical:

$Regex = "(?=.*\d)(?=.*[a-z])(?=.*[A-Z])"

do {
        $Password = ([string]($AllowedPasswordCharacters |
        Get-Random -Count $PasswordLength) -replace ' ')
    }    until ($Password -cmatch $Regex)

$Password

Here is the full script:

Function GeneratePassword
{
    cls
    $MinimumPasswordLength = 12
    $MaximumPasswordLength = 16
    $PasswordLength = Get-Random -InputObject ($MinimumPasswordLength..$MaximumPasswordLength)
    $AllowedPasswordCharacters = [char[]]'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!?@#£$%^&'
    $Regex = "(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*\W)"

    do {
            $Password = ([string]($AllowedPasswordCharacters |
            Get-Random -Count $PasswordLength) -replace ' ')
       }    until ($Password -cmatch $Regex)

    $Password

}

GeneratePassword