How can I check password complexity?

powershell credentials password-encryption powershell-5.0 windows-server-2016
14,772

Solution 1

Using a Try-Catch is the best way for me to handle this Issue.
I read the password, trying to execute the command
Catch the exception error, and request password again in case of password error

Solution 2

In addition to what TheIncorrigible1 and KoryGill already answered and as you included the error message The value provided for the new password does not meet the length, complexity, or history requirements of the domain, you may include a test for the Default password complexity.

If you do a

Get-ADDefaultDomainPasswordPolicy

You will get an object like this:

ComplexityEnabled           : True
DistinguishedName           : DC=yourdomain,DC=com
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 3
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : 44e3c936-5c8f-40cd-af67-f846c184cc8c
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

From this you can check interesting properties like the minimal length for a password in MinPasswordLength, after how many times a password can be re-used in PasswordHistoryCount. If ComplexityEnabled is True, then a password also requires a mix of Uppercase, Lowercase, Digits and Nonalphanumeric characters.

I found an excellent blog about that here you might want to read.

Solution 3

By using if statement in the Powershell script, you can validate the user inputs before moving to the next command. You can get the required password by this:

$Input = Read-Host "Please enter your password. `nPassword must meet complexity requirements: 
`nAt least one upper case English letter [A-Z]`nAt least one lower case English letter [a-z]`nAt least one digit [0-9]`nAt least one special character (!,@,#,%,^,&,$)`nMinimum 7 in length."

if(($input -cmatch '[a-z]') -and ($input -cmatch '[A-Z]') -and ($input -match '\d') -and ($input.length -ge 7) -and ($input -match '!|@|#|%|^|&|$'))
{
    Write-Output "$input is valid password"
}
else
{
    Write-Output "$input is Invalid password"
}
Share:
14,772
orenk
Author by

orenk

C#, Java, MicroFrameWork

Updated on June 15, 2022

Comments

  • orenk
    orenk almost 2 years

    I am using PowerShell to create local users. I need to get input from keyboard: Username & Password. To get the password I can use one of the following:

    $user_details = Get-Credential

    or

    $pass = Read-Host -assecureString "Please enter your password"

    In both cases, I will get encrypted password variable System.Security.SecureString. In both cases, when I try to create the user, with

    New-LocalUser -Name $username -Password $pass

    I get an error that the password is not complex.

    New-LocalUser : Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

    Since the password is encrypted, (System.Security.SecureString) I have no way to know the complexity of the password. How can I force the user to type a password that complies the complexity rules?

    (using unencrypted passwords is not a good solution for me)

    Update: After few answers that were relevant with good solutions, but did not meet my security requirement, I'd like to rephrase:

    How can I check password complexity which is already stored in object: System.Security.SecureString (without decryption)

    • Maximilian Burszley
      Maximilian Burszley over 5 years
      $pass.GetNetworkCredential().Password voila: plaintext password.
  • orenk
    orenk over 5 years
    Thanks for the answer, but Get-ADDefaultDomainPasswordPolicy is valid only in domain environment, I use a workgroup (or single) environment.
  • orenk
    orenk over 5 years
    This will get unencrypted password, Which I dont want to use.
  • orenk
    orenk over 5 years
    This will unencrypt the password, which is undesired security issue
  • Jegan.M
    Jegan.M over 5 years
    It's just a sample. You can remove the 'write-output' and use the $input value to create the new user. Or you can also use Try-catch method.
  • NiKiZe
    NiKiZe over 4 years
    This validates a string against a set rule of requirements, but does not take into consideration which settings are actually in effect.
  • Theo
    Theo almost 4 years
    @orenk In that case, have a look here

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Installing Removed Windows Features
Executing a scriptblock via startprocess
How can I git clone from powershell without typing credentials?
Powershell 5 : Cannot convert value To System.String
New-Object : Cannot find an overload for “PSCredential” and the argument count: “2”
Unable to find module providers
How can I run an Azure powershell cmdlet through a proxy server with credentials?
Move-Item causes "File Already Exists" error, despite folder having been deleted
Get Cached Credentials in PowerShell from Windows 7 Credential Manager
Configure a DSC Resource to restart