Create strong passwords in Windows

You know the use of strong and unique passwords is important. Not-so-secure passwords are easily cracked and we read about account takeovers all the time. In this post I show you a couple of methods of creating more secure passwords and random passwords in Windows. Where possible with PowerShell of course. Save these passwords in a password manager (I recommend Bitwarden or Devolutions Hub) for easy usage.

Generate secure passwords with a PowerShell function

In my GitHub Gist I have a PowerShell function to “easily create a random string (or secure password) using PowerShell” you can use and add to your PowerShell Profile for easy usage. For example:

PS C:\Users\JanR> Get-RandomString 20
F4!jFy"6A50Im$mAmOOz

There is even an SQLCompliant command argument to filter out some characters you cannot use in an SQL Server Login password.

PS C:\Users\JanR> Get-RandomString 20 SQLCompliant
xIhv433dfFo1JcAp4Y2X

Generate ‘n’ secure passwords at once

If you need to create 10 passwords at once, just use a PowerShell loop:

PS > 1..10 | % { Get-RandomString 20 SQLCompliant }
TTFoxZ87txhnbmIU9q5A
R4vWWvwgfP0qIt4XYu9o
s!f%CdUvlCI$zQrCFqSc
1TPCtleGZwHA0wesEGTg
eETPS96UevEjT6SQkKRP
vrPkAeR7Eb$3yN5zn42o
U#qpiEKi3CzdqM9EtHiG
pBmcscaeYIWl9I3BQqm!
xJu2c4vnef5MD1$XsgtE
$JbHI2i!eUTIlW9jlt4g

Or

PS > $numb = 10; for ($i=1; $i -le $numb; $i++) { Get-RandomString 20 SQLCompliant }
PjYqmpDXNaWeuAOcGibl
pl1!d025Lj0z46l8dgGa
d2Yh3rh4Kzw%Op57pHm4
JC6qq8RkWagTa5UJEadG
swOxlUJNUSXHoZ6B#L6P
6cVVuaLi0ik16eM5oBrL
ng9Sk!HhxNzo4sP$u5zX
BiqHekIF46vbibv9vzYk
F1iWL$mVspKDMnU3dtC0
VwMESNmDghHnz!agVshc

Bonus: Base64 encode/decode with PowerShell

Easily generate base64 encoded strings with PowerShell. In Generate pseudorandom passwords with OpenSSL you can read that base64 encoded strings make sort of fine passwords too. Add these two functions to your PowerShell $PROFILE to encode and decode base64 strings on your PowerShell command-prompt:

function base64decode($string) {
  return [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($string))
}
function base64encode($string) {
  $bytes = [System.Text.Encoding]::Unicode.GetBytes($string)
  return $EncodedText =[Convert]::ToBase64String($bytes)
}

When ran on the command-prompt, the output is similar to this:

PS > base64encode "foobar"
ZgBvAG8AYgBhAHIA
PS > base64decode ZgBvAG8AYgBhAHIA
foobar

Instead of Unicode.GetBytes you can also use ASCII.GetBytes:

PS > base64encode "foobar"
Zm9vYmFy
PS > base64decode Zm9vYmFy
foobar

GitHub Gist

You may find the Gist here:

See https://gist.github.com/Digiover/d74a76efedf1e84ddaf947b7284dfe2a.

Secure passwords generation with OpenSSL

If you have OpenSSL installed and available in Windows you can use OpenSSL to generate pseudo-random strings just as you would in Linux. See my post Generate pseudorandom passwords with OpenSSL.

GUID (global unique identifier)

A GUID, or a global unique identifier, can make great temporary or service account passwords. They’re long, it’s a 128-bit text string, and contains hexadecimal characters and can contain separator characters. You can easily generate a GUID in PowerShell to use as a password, for example:

PS > [guid]::NewGuid().Guid
b42b4927-baac-4451-a2ff-5e023bdb2727

There are different GUID format types though, you use the parameters “N”, “D”, “B”, “P”, or “X” as format.

Specifier	Format of return value
N	32 digits: 00000000000000000000000000000000
D	32 digits separated by hyphens: 00000000-0000-0000-0000-000000000000
B	32 digits separated by hyphens, enclosed in braces: {00000000-0000-0000-0000-000000000000}
P	32 digits separated by hyphens, enclosed in parentheses: (00000000-0000-0000-0000-000000000000)
X	Four hexadecimal values enclosed in braces, where the fourth value is a subset of eight hexadecimal values that is also enclosed in braces: {0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}

Testing these out result in:

PS C:\Users\j_rei> [guid]::NewGuid().ToString("P")
(cf0b9c8f-8a60-4241-8210-3f6d89b6ce74)

PS C:\Users\j_rei> [guid]::NewGuid().ToString("B")
{384edf83-c26a-4ef7-958e-30c7e4f20639}

PS C:\Users\j_rei> [guid]::NewGuid().ToString("D")
08eaad7e-92d3-4939-9c80-9f9235d464ea

PS C:\Users\j_rei> [guid]::NewGuid().ToString("N")
277fc9c0815542e29854bc1f58357182

PS C:\Users\j_rei> [guid]::NewGuid().ToString("X")
{0xecc8830b,0x0783,0x4102,{0xa3,0xdb,0xfb,0x03,0x56,0x11,0x08,0x0e}}

Again, these make perfect strong passwords, I use them often for service accounts.

Bonus tip: Password Generators

If you use a tool such as Bitwarden, Devolutions Hub, Vault by Hashicorp or 1Password to store your passwords: they often offer password generator tools in a nice Graphical User Interface (GUI). Use these! It’s so easy.

Be sure to check for settings like “include special characters”, “length”, “minimum numbers” and “minimum special” and make sure they are all set and choose at least 32 for length.

See these Bitwarden Password Generator settings for example:

Passwords are easy to generate and because you save and copy/paste them in your vault and forms, there is no reason why you should not use tools like these.

Conclusion generating secure passwords in Windows Server and Windows 11

Create and use strong passwords, just do it.

Whereas creating a secure password was difficult in Windows, you nowadays have the tools at hand to do this properly. Unique passwords keeps you safe(r) online and all those unique passwords are easily and securely stored in a password manager like Bitwarden, Devolutions Hub, 1Password, or KeePass. But whatever you do, do not store passwords in your web browser!

Enjoy!