Generates and test complex password. Password generator [New-ComplexPasswordAscii] only produces ASCII/ANSI password. Password tester [Test-PasswordComplexityToCSV] supports Unicode.
Test password complexity from a CSV file.
Test password complexity from a CSV file.
For Windows's default domain password policy with complexity enabled use the following parameters: -MinLength 6 -MinCategory 3
WARNING: This tools reads into memory, passwords in clear text, which could be exposed if the executing workstation is compromised.
The default input file name is the <name of this script>.CSV. This can be overridden with the -Path parameter.
The input CSV file requires the column header 'Password' (column order insensitive, case insensitive), and optionally 'UserName' and 'DisplayNamew' columns. All other columns are ignored but passed through to the output file.
The UserName value, if present and over 3 characters in length, is tested to not be contained within the password value.
The DisplayName value, if present, is parsed and tested that no components over 3 characters in length are contained within the password value. DisplayName is parsed by the following characters:
tabs '`t'
space ' '
number or pound sign '#'
comma ','
minus sign, dash or hyphen '-'
period '.'
underscore '_'
One output file is generated by default in a subfolder called '.\Reports\'. The output file name is in the format of: <date/time/timezone stamp>-<msExchOrganizationContainer>-<ScriptName>.CSV.
If parameter -Debug or -Verbose is specified, then a second file, a PowerShell transcript (*.TXT), is created with the same name and in the same location.
The input file is read, two additional columns are added 'IsCompliant' and 'Status', and then written to the output file. IsCompliant has a TRUE or FALSE value. Status is either empty, or has a combined list of all non-compliance.
The minimum password character length required to be compliant. The default is zero.
The maximum password character length allowed to be compliant. The default of zero indicates not to check for maximum length.
The minimum number of upppercase letters required to be compliant. The default is zero.
The minimum number of lowercase letters required to be compliant. The default is zero.
The minimum number of number characters required to be compliant. The default is zero.
The minimum number of special characters required to be compliant. The default is zero.
The minimum number of Unicode characters required to be compliant. The default is zero. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
The minimum number of character categories (upper/lower/number/special) required to be compliant. The maxiumum value is 5. The default is zero.
The CSV file column or property name that contains passwords. The default is 'Password'.
The CSV file column or property name that contains usernames. The default is 'UserName'.
The CSV file column or property name that contains display names. The default is 'DisplayName'.
Default is not to use Active Directory. If enabled:
* Uses executing workstation's Active Directory domain
* Gets the default domain password policy
* Overwrites -MinLength and -MinCategory if either are weaker
* Reads InFile's UserName column (can have DistinguishedName, GUID, SID, or SamAccountName values)
* Gets the user properties SamAccountName and DisplayName from Active Directory, using them instead of the InFile's columns UserName and DisplayName values.
No attempt to validate the password against Active Directory objects is made.
Specifies the delimiter that separates the property values in the CSV file. The default is a comma (,). Enter a character, such as a colon (:). To specify a semicolon (;), enclose it in quotation marks.
If you specify a character other than the actual string delimiter in the file, Import-Csv cannot create objects from the CSV strings. Instead, it returns the strings.
Specifies the type of character encoding that was used in the CSV file. Valid values are Unicode, UTF7, UTF8, ASCII, UTF32, BigEndianUnicode, Default, and OEM. The default is ASCII.
This parameter is introduced in Windows PowerShell 3.0.
Specifies an alternate column header row for the imported file. The column header determines the names of the properties of the object that Import-Csv creates.
Enter a comma-separated list of the column headers. Enclose each item in quotation marks (single or double). Do not enclose the header string in quotation marks. If you enter fewer column headers than there are columns, the remaining columns will have no header. If you enter more headers than there are columns, the extra headers are ignored.
When using the Header parameter, delete the original header row from the CSV file. Otherwise, Import-Csv creates an extra object from the items in the header row.
Specifies the path to the CSV file to import. You can also pipe a path to Import-Csv.
Use the list separator for the current culture as the item delimiter. The default is a comma (,).
To find the list separator for a culture, use the following command: (Get-Culture).TextInfo.ListSeparator. If you specify a character other than the delimiter used in the CSV strings, ConvertFrom-CSV cannot create objects from the CSV strings. Instead, it returns the strings.
Specifies the path to the CSV file to import. Unlike Path, the value of the LiteralPath parameter is used exactly as it is typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell Windows PowerShell not to interpret any characters as escape sequences.
Test-PasswordComplexityFromCSV -Path .\Test-PasswordComplexityFromCSV-TEST.csv -OutFileNameTag Default
Test-PasswordComplexityFromCSV -Path .\Test-PasswordComplexityFromCSV-TEST.csv -MinLength 6 -MinCategory 3 -OutFileNameTag Len6Cat3
Test-PasswordComplexityFromCSV -Path .\Test-PasswordComplexityFromCSV-TEST.csv -MinLength 15 -OutFileNameTag Len15
Test-PasswordComplexityFromCSV -Path .\Test-PasswordComplexityFromCSV-TEST.csv -MinCategory 5 -OutFileNameTag Cat5
Test-PasswordComplexityFromCSV -Path .\Test-PasswordComplexityFromCSV-TEST.csv -MinUppercase 1 -MinLowercase 1 -MinNumber 1 -MinSpecial 1 -MinUnicode 1 -OutFileNameTag u1L1N1S1U1
Test-PasswordComplexityFromCSV -Path .\Test-PasswordComplexityFromCSV-TEST.csv -ExcludeCharacter '~,' -OutFileNameTag XC
Given CSV (.\Test-PasswordComplexityFromCSV.csv) file header:
UserName,DisplayName,Credential
Wiliam,Bob,ABCdef123!@#
...
Use -PasswordPropertyName:
Test-PasswordComplexityFromCSV -PasswordPropertyName Credential
Given CSV (.\Test-PasswordComplexityFromCSV.csv) file header:
AccountName,DisplayName,Password
Wiliam,Bob,ABCdef123!@#
...
Use -PasswordPropertyName:
Test-PasswordComplexityFromCSV -UserNamePropertyName AccountName
Given CSV (.\Test-PasswordComplexityFromCSV.csv) file header:
UserName,FriendlyName,Password
Wiliam,Bob,ABCdef123!@#
...
Use -PasswordPropertyName:
Test-PasswordComplexityFromCSV -DisplayNamePropertyName FriendlyName
Author: Terry E Dow
Creation Date: 2018-08-01
Reference:
Password must meet complexity requirements https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements
Selecting Secure Passwords https://msdn.microsoft.com/en-us/library/cc875839.aspx?f=255&MSPPError=-2147217396
Character Classes in Regular Expressions https://docs.microsoft.com/en-us/dotnet/standard/base-types/character-classes-in-regular-expressions#SupportedUnicodeGeneralCategories
Unicode Regular Expressions http://www.unicode.org/reports/tr18/
Unicode Regular Expressions https://www.regular-expressions.info/unicode.html#prop
Unicode Characters in the 'Letter, Other' Category http://www.fileformat.info/info/unicode/category/Lo/list.htm
Generate new complex password.
Generate new complex ASCII password. There are 5 character categories: uppercase, lowercase, numbers, special characters, and Unicode Letter_Other. This solution only supports the first 4, and does not support Unicode. The valid values for the paramter -MaxCategory is 0 to 4.
The complexity of the password generated are based on the parameters
-NumLength 1
-MinUpper 0
-MinLower 0
-MinNumber 0
-MinSpecial 0
and
-MinCategory 0
Use the -Min<CharCategory> parameters (-MinUpper, -MinLower, -MinNumber, -MinSpecial) to define the minimum required password complexity.
Alternatively, you can use the -MinCategory and this solution will pick random character categories.
After the Min<Category>/MinCategory specifications have been met, randaom characters from any of the 4 character categories are used for the remainder of the password length.
If the both are used together, and if -MinCategory is larger than the values of -Min<CharCategory> combined, then this solution will pick the balance randomly from the remaining unspecified -Min<CharCategory> parameters.
If -MinLength is less than -MaxCategory or the values of -Min<CharCategory> combined, -MaxLength is extended.
Use -Verbose and the password will be written to the console (Write-Verbose).
-NumLength increases the password complexity more than increases in -MaxCategory. A value of 15 or larger is recommended.
For Windows's default domain password policy with complexity enabled use the following parameters: -MinLength 6 -MinCategory 3. Your domain's -MinLength may be larger.
One output file is generated by default in a subfolder called '.\Reports\'. The output file name is in the format of: <date/time/timezone stamp>-<msExchOrganizationContainer>-<ScriptName>.CSV.
If parameter -Debug or -Verbose is specified, then a second file, a PowerShell transcript (*.TXT), is created with the same name and in the same location.
Two columns are created 'NewPassword' and 'NewPasswordDescription'. NewPassword column contains the randomly generate US-ASCII passwords, NewPasswordDescription column contains the password description. For example:
> .\New-ComplexPasswordAscii.ps1 -MinLength 4 -MinCategory 4
file: .\Reports\<date/time/timezone stamp>-<msExchOrganizationContainer>-<ScriptName>.CSV
"NewPassword","NewPasswordDescription"
"=3vD","equals-sign_three_victor_DELTA"
The number of random complex passwords to generate. The default is one.
The minimum password character length required to be compliant. The default is one.
The maximum password character length allowed to be compliant. The default of zero indicates not to check for maximum length.
The minimum number of upppercase letters required to be compliant. The default is zero.
The minimum number of lowercase letters required to be compliant. The default is zero.
The minimum number of number characters required to be compliant. The default is zero.
The minimum number of special characters required to be compliant. The default is zero.
The minimum number of character categories (upper/lower/number/special) required to be compliant. The maxiumum value is 4. The default is zero.
The CSV file column or property name for the new password. The default is 'NewPassword'.
The CSV file column or property name for the new password description is 'NewPasswordDescription'. When -PasswordPropertyName is used the property name will be '<PasswordPropertyName>Description'.
One or more characters to be excluded from being generated. The default is $NULL, no excluded characters.
" Quotation-Mark, Comma Separated Value file delimiter
% Percent-Sign - Enviroment variable substitution
& Ampersand - Inline command separator
+ Plus-Sign - Excel macro prefix
, Comma - Comma Separated Value file delimiter
< Less-Than - Redirect input
= Equals-Sign - Excel macro prefix
> Greater-Than - Redirect output
^ Circumflex-Accent - Escape character
| Vertical-Line - Pipe output to next command's input
0Oo Zero OSCAR oscar - ambiguous
1Il One INDIA lima - ambiguous
-_ Hyphen-Minus Low-Line - ambiguous
'` Apostrophe Grave-Accent - ambiguous
-ExcludeCharacter '"IOlo01''`%&+,<=>^|-_'
Specifies the delimiter that separates the property values in the CSV file. The default is a comma (,). Enter a character, such as a colon (:). To specify a semicolon (;), enclose it in quotation marks.
If you specify a character other than the actual string delimiter in the file, Import-Csv cannot create objects from the CSV strings. Instead, it returns the strings.
Specifies the type of character encoding that was used in the CSV file. Valid values are Unicode, UTF7, UTF8, ASCII, UTF32, BigEndianUnicode, Default, and OEM. The default is ASCII.
This parameter is introduced in Windows PowerShell 3.0.
Specifies an alternate column header row for the imported file. The column header determines the names of the properties of the object that Import-Csv creates.
Enter a comma-separated list of the column headers. Enclose each item in quotation marks (single or double). Do not enclose the header string in quotation marks. If you enter fewer column headers than there are columns, the remaining columns will have no header. If you enter more headers than there are columns, the extra headers are ignored.
When using the Header parameter, delete the original header row from the CSV file. Otherwise, Import-Csv creates an extra object from the items in the header row.
Specifies the path to the CSV file to import. You can also pipe a path to Import-Csv.
Use the list separator for the current culture as the item delimiter. The default is a comma (,).
To find the list separator for a culture, use the following command: (Get-Culture).TextInfo.ListSeparator. If you specify a character other than the delimiter used in the CSV strings, ConvertFrom-CSV cannot create objects from the CSV strings. Instead, it returns the strings.
Specifies the path to the CSV file to import. Unlike Path, the value of the LiteralPath parameter is used exactly as it is typed. No characters are interpreted as wildcards. If the path includes escape characters, enclose it in single quotation marks. Single quotation marks tell Windows PowerShell not to interpret any characters as escape sequences.
New-ComplexPasswordAscii -OutFileNameTag Default
New-ComplexPasswordAscii -NumPassword 10 -MinLength 8 -OutFileNameTag Num10Verbose -Verbose
New-ComplexPasswordAscii -NumPassword 100 -MinLength 6 -MinCategory 3 -OutFileNameTag Num100Len6Cat3
New-ComplexPasswordAscii -NumPassword 100 -MinLength 15 -OutFileNameTag Num100Len15
New-ComplexPasswordAscii -NumPassword 100 -MinLength 15 -MinCategory 4 -OutFileNameTag Num100Len15Cat4
New-ComplexPasswordAscii -NumPassword 100 -MinLength 15 -MinUppercase 1 -MinLowercase 1 -MinNumber 1 -MinSpecial 1 -OutFileNameTag Num100Len15u1L1N1S1
Author: Terry E Dow
Creation Date: 2018-08-01
Reference:
Password must meet complexity requirements https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements
Selecting Secure Passwords https://msdn.microsoft.com/en-us/library/cc875839.aspx?f=255&MSPPError=-2147217396
Convert a one or more strings to a US ASCII character decription.
Convert a one or more strings to a US ASCII character decription using ICAO (NATO) phonetic alphabet and Unicode 8859-1:1998(en) (ISO Latin 1) entity names.
Specifies one or more strings to be described.
Specifies one or more characters placed between the descriptive character strings. The default is space (" ").
ConvertTo-AsciiDescription '~!@#$%^&*()_+'
tilde exclamation-mark commercial-at number-sign dollar-sign percent-sign circumflex-accent ampersand asterisk left-parenthesis right-parenthesis low-line plus-sign
ConvertTo-AsciiDescription 'Testing, testing, 1, 2, 3.', 'The quick brown fox'
TANGO echo sierra tango india november golf comma space tango echo sierra tango india november golf comma space one comma space two comma space three full-stop
TANGO hotel echo space quebec uniform india charlie kilo space bravo romeo oscar whiskey november space foxtrot oscar x-ray
ConvertTo-AsciiDescription 'Testing, testing, 1, 2, 3.', 'The quick brown fox' -Delimiter '_'
TANGO_echo_sierra_tango_india_november_golf_comma_space_tango_echo_sierra_tango_india_november_golf_comma_space_one_comma_space_two_comma_space_three_full-stop
TANGO_hotel_echo_space_quebec_uniform_india_charlie_kilo_space_bravo_romeo_oscar_whiskey_november_space_foxtrot_oscar_x-ray
Author: Terry E Dow
Creation Date: 2019-02-14
NATO phonetic alphabet, International Radiotelephony Spelling Alphabet (1957), International Civil Aviation Organization (ICAO) Phonetic Alphabet, International Telecommunication Union (ITU) Phonetic Alphabet https://www.icao.int/Pages/AlphabetRadiotelephony.aspx
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) 8859-1:1998(en) https://www.unicode.org/charts/PDF/U0000.pdf https://www.iso.org/obp/ui/#iso:std:iso-iec:8859:-1:en