How can I check password complexity?
Solution 1
Using a Try-Catch is the best way for me to handle this Issue.
I read the password, trying to execute the command
Catch the exception error, and request password again in case of password error
Solution 2
In addition to what TheIncorrigible1 and KoryGill already answered and as you included the error message The value provided for the new password does not meet the length, complexity, or history requirements of the domain, you may include a test for the Default password complexity.
If you do a
Get-ADDefaultDomainPasswordPolicy
You will get an object like this:
ComplexityEnabled : True
DistinguishedName : DC=yourdomain,DC=com
LockoutDuration : 00:30:00
LockoutObservationWindow : 00:30:00
LockoutThreshold : 3
MaxPasswordAge : 42.00:00:00
MinPasswordAge : 1.00:00:00
MinPasswordLength : 7
objectClass : {domainDNS}
objectGuid : 44e3c936-5c8f-40cd-af67-f846c184cc8c
PasswordHistoryCount : 24
ReversibleEncryptionEnabled : False
From this you can check interesting properties like the minimal length for a password in MinPasswordLength
, after how many times a password can be re-used in PasswordHistoryCount
.
If ComplexityEnabled
is True, then a password also requires a mix of Uppercase, Lowercase, Digits and Nonalphanumeric characters.
I found an excellent blog about that here you might want to read.
Solution 3
By using if statement in the Powershell script, you can validate the user inputs before moving to the next command. You can get the required password by this:
$Input = Read-Host "Please enter your password. `nPassword must meet complexity requirements:
`nAt least one upper case English letter [A-Z]`nAt least one lower case English letter [a-z]`nAt least one digit [0-9]`nAt least one special character (!,@,#,%,^,&,$)`nMinimum 7 in length."
if(($input -cmatch '[a-z]') -and ($input -cmatch '[A-Z]') -and ($input -match '\d') -and ($input.length -ge 7) -and ($input -match '!|@|#|%|^|&|$'))
{
Write-Output "$input is valid password"
}
else
{
Write-Output "$input is Invalid password"
}
Comments
-
orenk almost 2 years
I am using PowerShell to create local users. I need to get input from keyboard: Username & Password. To get the password I can use one of the following:
$user_details = Get-Credential
or
$pass = Read-Host -assecureString "Please enter your password"
In both cases, I will get encrypted password variable
System.Security.SecureString
. In both cases, when I try to create the user, withNew-LocalUser -Name $username -Password $pass
I get an error that the password is not complex.
New-LocalUser : Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
Since the password is encrypted, (System.Security.SecureString) I have no way to know the complexity of the password. How can I force the user to type a password that complies the complexity rules?
(using unencrypted passwords is not a good solution for me)
Update: After few answers that were relevant with good solutions, but did not meet my security requirement, I'd like to rephrase:
How can I check password complexity which is already stored in object: System.Security.SecureString (without decryption)
-
Maximilian Burszley over 5 years
$pass.GetNetworkCredential().Password
voila: plaintext password.
-
-
orenk over 5 yearsThanks for the answer, but Get-ADDefaultDomainPasswordPolicy is valid only in domain environment, I use a workgroup (or single) environment.
-
orenk over 5 yearsThis will get unencrypted password, Which I dont want to use.
-
orenk over 5 yearsThis will unencrypt the password, which is undesired security issue
-
Jegan.M over 5 yearsIt's just a sample. You can remove the 'write-output' and use the $input value to create the new user. Or you can also use Try-catch method.
-
NiKiZe over 4 yearsThis validates a string against a set rule of requirements, but does not take into consideration which settings are actually in effect.
-
Theo almost 4 years@orenk In that case, have a look here