PowerShell: Password generating function

Passwords - the basics

Having a long password is usually better than just a complex short password. When attackers attempt to crack your password they will try different techniques such as brute forcing. That is when they have a dictionary of common passwords that they try to use to get into your account. Sometimes they will try one sequence of characters after another.

AAAA... AAAB.... ABCC....ABCD... and eventually the account goes "pop".

Just like a padlock there is a fixed amount of combinations.

A padlock has 0-9 per wheel usually. Which is ten characters per wheel. You can calculate the total amount of combinations like Characters per wheel to the power of the number of wheels.

Four wheels with 10 numbers (0 through 9) is 10 x 10 x 10 x 10. Which also is written as 10^4. When scripting in PowerShell you write [math]::Pow(10,4). Here is the answer, 10000 combinations.

Let's say that the brute forcing computer can guess 1000 passwords per second. That leaves your account safe for 10 seconds if you have a 4 character long password.

By increasing the variation of characters (increasing the numbers per wheel on your padlock) and increasing the amount of characters in your password (increasing the amount of wheels on your padlock) your password will take longer time to crack. 

However, store it well and preferably don't store it at all if possible. It doesn't matter if your password is 20 characters long and has a good complexity if it is stored in plain text in a file called "passwords.txt".

Those who store your password often store it "hashed" and "salted", to add extra complexity. Hashing uses a hashing function to scramble the password and salting adds random characters. If the passwords are leaked they will not be in plain text. Therefore some malicious actors will store pre-hashed password lists to match with the leaked hashed list of passwords to then compare the two.

Generating a password using PowerShell

I found myself having to update an old password and I didn't want to come up with a lot of numbers, letters and special characters myself. So I scripted a function that helps me to bring out a password with the requirements of being long and complex. (One difference between a function and a cmdlet is that the latter is compiled C# code.)

First I defined which characters I wanted to use in a string. Each character in a string can be called upon with an index number. The real engine behind this function is "Get-Random" which then returns a number no higher than the length of the string. This way you can get a random character.

The challenge was then stringing together a output string, the password, with the right amount of characters.

Finally I added a parameter that puts the password in my clipboard, one parameter that let's me pick the password length and also an alias for the function.

Here is the code:

 

function New-Password {

<# Parameters with default values #>
[alias("npwd")]
[cmdletbinding()]
    param
    (
    [Parameter()]
    [alias("Length")]
    [int]$DesiredPasswordLength = 15,
    [alias("c", "copy")]
    [switch]$CopyPassword = $False
    )

<# Available characters #>
[string]$AvailableCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!?@#";

<# Random letter from available characters #>
function Get-RandomLetter {
$AvailableCharacters[(Get-Random ($AvailableCharacters.Length))]
}

<# Build string #>
[string]$Password = ""
Do {$Password += Get-RandomLetter;} While ($Password.Length -lt $DesiredPasswordLength)
$PasswordLength = $Password.Length

<# Output #>
[float]$NumberOfCombinations = [math]::Pow($AvailableCharacters.Length,$Password.Length)
Write-Output "Your generated password is $Password and is $PasswordLength characters long. Complexity: $NumberOfCombinations combinations."
if ($CopyPassword) {$Password | Set-Clipboard} else {Break}

}

A few last thoughts

Remember that the code works with passwords in clear text, be mindful of how you implement it. Its purpose is to help you generate randomized strings of defined length.

Test your password security at sites like Passwordmonster or Security.org. I tested a random password with a length of 15 characters and it reached 100+ million years. How passwords will change in the face of quantum computing is for the future to tell. Perhaps password cracking will be faster or perhaps encryption will change fundamentally. Who knows?