Security

New-sqmRandomSaPassword

Generates a cryptographically secure random password — suitable for the SA account — using RandomNumberGenerator and a Fisher-Yates shuffle, guaranteeing at least one uppercase, lowercase, digit, and special character while excluding visually ambiguous characters.

Module: sqmSQLTool
Requires: none
ShouldProcess: No
Output: SecureString

Execution Flow

START Build character pools (upper/lower/digit/special, no ambiguous chars) Pick 1 guaranteed char from each pool loop until -Length reached RandomNumberGenerator.GetInt32 → append char Fisher-Yates shuffle (crypto RNG, not Get-Random) Convert to SecureString -ExportPath given? No DPAPI export via ConvertFrom-SecureString Clear plaintext copy from memory Return SecureString DONE
Uses System.Security.Cryptography.RandomNumberGenerator instead of Get-Random for cryptographic strength. Ambiguous characters (I O i l o 0 1) are excluded from all pools. Only a SecureString is returned — the plaintext copy is cleared from memory immediately after use.

Parameters

ParameterTypeRequiredDescription
-LengthIntOptionalPassword length, 12–128. Default: 20.
-ExportPathStringOptionalIf given, exports a DPAPI-encrypted (current user/machine) copy via ConvertFrom-SecureString.

Return Value

Returns a System.Security.SecureString containing the generated password. No plaintext is returned.

Examples

Example 1 — Generate a default 20-character password

$saPwd = New-sqmRandomSaPassword

Example 2 — Generate and export an encrypted backup copy

$saPwd = New-sqmRandomSaPassword -Length 32 -ExportPath "C:\Secure\sa-pwd.xml"