en-US/about_PSPasswordGenerator.help.txt
|
TOPIC
about_PSPasswordGenerator SHORT DESCRIPTION As the name implies, this module can generate passwords. LONG DESCRIPTION This module is built to generate passwords, with parameters that you choose. Any text generated by this module shall conform to the length and complexity constraints that you, the user, chooses to specify. This is more of a conceptual help topic than a how-to. Before you continue, you may want to read the help for New-RandomPassword cmdlet. EXAMPLES PSPasswordGenerator can be used by itself, in other scripts or in workflows. For example, the author himself used this module to create a service account for Windows Server's (2012 R2) DHCP Server service. (Names have been changed to protect the innocent.) #--------------------------------------------------------------------------- #Requires -Version 5.0 #Requires -Module PSPasswordGenerator # Create a long, secure password for this account. $passwd = Get-RandomPassword -Length 240 -UseExtendedAscii -UseAmbigiousCharacters # The rest of this example merely walks through creating an Active Directory # service account, and registering it with one server's DHCP Server service. # If you wanted to learn how to use Get-RandomPassword, you're all done now. # If you're studying for a Microsoft exam then I recommend you keep reading! # Create the user account. Splatting was added for readability. $ADAccountParameters = @{ Name = 'DNS Dynamic Update' DisplayName = 'DNS Dynamic Update service account' Description = "Allows App1's DHCP Server to update AD DNS zones." AccountPassword = $passwd CannotChangePassword = $true Enabled = $true LogonWorkstations = 'App1' PasswordNeverExpires = $true Path = 'OU=Service Accounts,DC=internal,DC=contoso,DC=com' SAMAccountName = '_DNSDynamicUpdate' UserPrincipalName = 'DNSDynamicUpdate@internal.contoso.com' } $acct = New-ADUser @ADAccountParameters -PassThru # Add this service account to the DnsUpdateProxy group, so that it will have # permission to do its job. Then, for security, remove it from Domain Users. $DUPGrp = Get-ADGroup 'DnsUpdateProxy' -Properties 'primaryGroupToken' $acct | Add-ADPrincipalGroupMembership -Identity $DUPGrp $acct | Set-ADUser -Replace @{'primaryGroupID' = $DUPGrp.primaryGroupToken} $acct | Remove-ADPrincipalGroupMembership -Identity 'Domain Users' # Finally, create a PSCredential object from our username and password, then # add it to the local machine's DHCP Server service. $username = $acct.UserPrincipalName $credentials = [Management.Automation.PSCredential]::new($username, $passwd) Set-DHCPServerDNSCredential -Credential $credentials # Restart the DHCP Server service to make sure changes are applied. Restart-Service 'DHCPServer' -Force #--------------------------------------------------------------------------- NOTE This module will gladly let you shoot yourself in the foot. Read the following caveats to make sure you don't leave me a one-star rating on PowerShellGallery.com. (They do have ratings, right?) "Just because you can doesn't mean you should." -- Catherine Russell "Caveat emptor, quia ignorare non debuit quod jus alienum emit." ("Let the buyer beware, for [they] ought not to be ignorant of the nature of the property which [they are] buying from another party.") -- Latin proverb. CAVEAT 1: This module may make your passwords too good. This module will generate passwords that might be too long or too strong for whatever purpose you had in mind. While you are free to generate a password that is over ~4.2 billion characters in length, whatever you're pasting this password into may ask you to use a shorter password or silently truncate it. If you're unlucky, it might simply crash and die trying to process something of that length. For example, some well-known services have their limits: - Old-school LAN Manager passwords are limited to 14 characters. - Active Directory Domain Services passwords are limited to 120 characters (when setting them with GUI tools like ADAC or aduc.msc). - Active Directory Domain Services passwords are limited to 240 characters at most (when setting them with the ActiveDirectory PowerShell module). - Azure AD and Microsoft 365 accounts are limited to 256 characters. - Web sites can use the maxlength attribute to specify a limit. - Web sites can not use the maxlength attribute, thereby not specifying any limit; rather, they might simply truncate or refuse the password, with or without notifying you. Your Web browser may, or may not, be able to warn you about this. CAVEAT 2: Extended ASCII is great -- when supported. You are able, and usually encouraged, to use the -UseExtendedAscii parameter to create passwords that have characters that no sane person could type on a regular keyboard. While this will be your most secure option, offering lots of entropy, and (depending on the service's storage mechanism) likely not to be cracked before the heat death of the universe, there's a good chance that this character set will cause many online services either to reject the nice password, or invent some strange way to fail; including, but not limited to, saving and hashing your truncated password, giving you no end of frustration in an endless cycle of resetting and trying password. This author sees that AD DS passwords can contain ASCII Extended characters. That's good to hear. CAVEAT 3: Symbols in passwords. This author has worked with (and against!) certain models of Ricoh and Savin printers that cannot handle a percent sign ('%') in passwords. That one kept him busy for a while, until he decided to try using -NoSymbols, and scanning over SMB suddenly worked! CAVEAT 4: Other stupid requirements. This same author also happened across a web site that required your password to start with a letter. Hence, the -StartWithLetter switch is an option, in case you, too, happen across that same site. CAVEAT 5: You need a wordlist for the random-words passwords. You will need to supply your own wordlist when generating a password that is made up of random words. Where you get this is up to you. There are plenty of free ones available. CAVEAT 6, PROBABLY THE MOST OBVIOUS: This doesn't save your passwords! This module only exists to generate passwords. Saving these precious tokens is wholly your responsibility! You could save these passwords by using some app, method, or service. For example, you can: - Use a PowerShell module such as SecretsManagement. - Use a password storage app such as KeePassX. - Use a password storage service such as LastPass or your Firefox Account. - Export it to disk with a cmdlet such as Export-CliXml. - Paste it into a text editor, then encrypt the text file with your GPG key. - Write it on a sticky note and put it under your keyboard. (Don't do this.) - Tell it to a friend. (Don't do this, either.) FINALLY, SOMETHING NOT DOOM AND GLOOM: Aliases. This cmdlet used to be named New-RandomPassword. Since the verb "New" might imply that it can change system state, I've switched it back to "Get". There is an alias, New-RandomPassword, so your scripts and muscle memory shall not need any updates. SEE ALSO For more information, run Get-Help Get-RandomPassword. You can also find this project online and send code or feedback by visiting: https://github.com/rhymeswithmogul/PSPasswordGenerator KEYWORDS - Get-RandomPassword - New-RandomPassword - Password generator - Password maker - Random password |