Create strong passwords in Windows

You know the use of strong and unique passwords is important. Not-so-secure passwords are easily cracked and we read about account takeovers all the time. In this post I show you a couple of methods of creating more secure passwords and random passwords in Windows. Where possible with PowerShell of course. Save these passwords in a password manager (I recommend Bitwarden or Devolutions Hub) for easy usage.

Generate secure passwords with a PowerShell function

PowerShell password generator

In my GitHub Gist I have a PowerShell function to “easily create a random string (or secure password) using PowerShell” you can use and add to your PowerShell Profile for easy usage.

GitHub Gist

You may find the Gist here:

See https://gist.github.com/Digiover/d74a76efedf1e84ddaf947b7284dfe2a.

Substituted Get-Random with RandomNumberGenerator.GetInt32 Method

GetInt32(Int32) generates a random integer between 0 (inclusive) and a specified exclusive upper bound using a cryptographically strong random number generator. This generates a cryptographically secure random integer within a range, whereas Get-Random does not.

For this, PowerShell 7.x is required and a PowerShell version check is added so PS 5.1 still uses Get-Random.

Usage: create random password

An example usage to create a random password on your PowerShell command-prompt is:

PS C:\Users\JanR> Get-RandomString 20
F4!jFy"6A50Im$mAmOOz

This assumes you have added the function to your PowerShell $PROFILE.

Usage: Generate ‘n’ secure passwords at once in a loop

If you need to create 10 passwords at once, just use a PowerShell loop:

PS > 1..10 | % { Get-RandomString 20 SQLCompliant }
TTFoxZ87txhnbmIU9q5A
R4vWWvwgfP0qIt4XYu9o
s!f%CdUvlCI$zQrCFqSc
1TPCtleGZwHA0wesEGTg
eETPS96UevEjT6SQkKRP
vrPkAeR7Eb$3yN5zn42o
U#qpiEKi3CzdqM9EtHiG
pBmcscaeYIWl9I3BQqm!
xJu2c4vnef5MD1$XsgtE
$JbHI2i!eUTIlW9jlt4g

Or

PS > $numb = 10; for ($i=1; $i -le $numb; $i++) { Get-RandomString 20 SQLCompliant }
PjYqmpDXNaWeuAOcGibl
pl1!d025Lj0z46l8dgGa
d2Yh3rh4Kzw%Op57pHm4
JC6qq8RkWagTa5UJEadG
swOxlUJNUSXHoZ6B#L6P
6cVVuaLi0ik16eM5oBrL
ng9Sk!HhxNzo4sP$u5zX
BiqHekIF46vbibv9vzYk
F1iWL$mVspKDMnU3dtC0
VwMESNmDghHnz!agVshc

Use these in PowerShell generated secure passwords to secure your HTTP Basic Authentication for virtual users in IIS.

SQLCompliant passwords

The PowerShell secure password generator function also has an SQLCompliant command argument to filter out some characters you cannot use in an SQL Server Login passwords.

PS C:\Users\JanR> Get-RandomString 20 SQLCompliant
xIhv433dfFo1JcAp4Y2X

This creates a 20 character long password. SQL Server Password policy has about password complexity:

When password complexity policy is enforced, new passwords must meet the following guidelines:

• The password doesn’t contain the account name of the user.
• The password is at least eight characters long.
• The password contains characters from three of the following four categories:
  • Latin uppercase letters (A through Z)
  • Latin lowercase letters (a through z)
  • Base 10 digits (0 through 9)
  • Nonalphanumeric characters such as: exclamation point (!), dollar sign ($), number sign (#), or percent (%).

Passwords can be up to 128 characters long. Use passwords that are as long and complex as possible.

Alternative methods

Pseudo-random passwords with OpenSSL

If you have OpenSSL installed and available in Windows you can use OpenSSL to generate pseudo-random strings just as you would in Linux. See my post Generate pseudorandom passwords with OpenSSL.

For a complete list of essential openssl.exe commands, see my Comprehensive OpenSSL Cheat Sheet.

Base64 encode and decode strings with PowerShell

Bonus: Easily generate base64 encoded strings with PowerShell. In Generate pseudorandom passwords with OpenSSL you can read that base64 encoded strings make sort of fine passwords too. Add these two functions to your PowerShell $PROFILE to encode and decode base64 strings on your PowerShell command-prompt:

function base64decode($string) {
  return [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($string))
}
function base64encode($string) {
  $bytes = [System.Text.Encoding]::Unicode.GetBytes($string)
  return $EncodedText =[Convert]::ToBase64String($bytes)
}

When ran on the command-prompt, the output is similar to this:

PS > base64encode "foobar"
ZgBvAG8AYgBhAHIA
PS > base64decode ZgBvAG8AYgBhAHIA
foobar

With a generated password, for length:

PS > get-RandomString 32
7lgtYRA1AyA!z.NW)KY%,IY(AU+lT,8G
PS > base64encode '7lgtYRA1AyA!z.NW)KY%,IY(AU+lT,8G'
NwBsAGcAdABZAFIAQQAxAEEAeQBBACEAegAuAE4AVwApAEsAWQAlACwASQBZACgAQQBVACsAbABUACwAOABHAA==
PS > base64decode NwBsAGcAdABZAFIAQQAxAEEAeQBBACEAegAuAE4AVwApAEsAWQAlACwASQBZACgAQQBVACsAbABUACwAOABHAA==
7lgtYRA1AyA!z.NW)KY%,IY(AU+lT,8G

Instead of Unicode.GetBytes you can also use ASCII.GetBytes:

PS > base64encode "foobar"
Zm9vYmFy
PS > base64decode Zm9vYmFy
foobar

GUID (global unique identifier)

A GUID, or a global unique identifier, can make great temporary or service account passwords. They’re long, it’s a 128-bit text string, and contains hexadecimal characters and can contain separator characters. You can easily generate a GUID in PowerShell to use as a password, for example:

PS > [guid]::NewGuid().Guid
b42b4927-baac-4451-a2ff-5e023bdb2727

There are different GUID format types though, you use the parameters “N”, “D”, “B”, “P”, or “X” as format.

Specifier	Format of return value
N	32 digits: 00000000000000000000000000000000
D	32 digits separated by hyphens: 00000000-0000-0000-0000-000000000000
B	32 digits separated by hyphens, enclosed in braces: {00000000-0000-0000-0000-000000000000}
P	32 digits separated by hyphens, enclosed in parentheses: (00000000-0000-0000-0000-000000000000)
X	Four hexadecimal values enclosed in braces, where the fourth value is a subset of eight hexadecimal values that is also enclosed in braces: {0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}}

Testing these out result in:

PS C:\Users\j_rei> [guid]::NewGuid().ToString("P")
(cf0b9c8f-8a60-4241-8210-3f6d89b6ce74)

PS C:\Users\j_rei> [guid]::NewGuid().ToString("B")
{384edf83-c26a-4ef7-958e-30c7e4f20639}

PS C:\Users\j_rei> [guid]::NewGuid().ToString("D")
08eaad7e-92d3-4939-9c80-9f9235d464ea

PS C:\Users\j_rei> [guid]::NewGuid().ToString("N")
277fc9c0815542e29854bc1f58357182

PS C:\Users\j_rei> [guid]::NewGuid().ToString("X")
{0xecc8830b,0x0783,0x4102,{0xa3,0xdb,0xfb,0x03,0x56,0x11,0x08,0x0e}}

Again, these make perfect strong passwords, I use them often for service accounts.

Bonus tip: Password Generators

If you use a tool such as Bitwarden, Devolutions Hub, Vault by Hashicorp or 1Password to store your passwords: they often offer password generator tools in a nice Graphical User Interface (GUI). Use these! It’s so easy.

Be sure to check for settings like “include special characters”, “length”, “minimum numbers” and “minimum special” and make sure they are all set and choose at least 32 for length.

See these Bitwarden Password Generator settings for example:

Passwords are easy to generate and because you save and copy/paste them in your vault and forms, there is no reason why you should not use tools like these.

Found this guide helpful? You can support my independent deep dives into Windows Server and DevOps by donating via PayPal. Every bit of support helps keep saotn.org fast and updated!

Conclusion generating secure passwords in Windows Server and Windows 11

Create and use strong passwords, just do it.

Whereas creating a secure password was difficult in Windows, you nowadays have the tools at hand to do this properly. Unique passwords keeps you safe(r) online and all those unique passwords are easily and securely stored in a password manager like Bitwarden, Devolutions Hub, 1Password, or KeePass. But whatever you do, do not store passwords in your web browser!

Enjoy!