Encrypting Passwords in PowerShell With Your Own Key

The security of passwords and strings is a little confusing in Microsoft Windows —and much of it uses legacy methods. For strings we can encrypt them into secure strings using the Data Protection Application Programming Interface (DPAPI). But, what if we want to use our own keys?

In terms of the encryption methods, it has been discovered that the DPAPI method depend on the operating system version:

• Windows 2000 uses RC4 and HMAC-SHA-1 with one round of PBKDF2. Approximate security strength: 95,000 passwords/second.
• Window XP uses 3DES and HMAC-SHA-1 with 4000 rounds of PBKDF2. Approximate security strength: 4,000 passwords/second.
• Windows Vista uses 3DES and HMAC-SHA-1 with 24000 rounds of PBKDF2. Approximate security strength: 12 passwords/second.
• Windows 7 and Windows 10 use 256-bit AES-CBC and HMAC-SHA-512 with 5,600 rounds of PBKDF2. Approximate security strength: 10 passwords/second.

To create a secure string [here]:

$pwd = 'qwerty123'
$securepwd =  ConvertTo-SecureString  -String $pwd -AsPlainText -Force
$encryptedpwd =  ConvertFrom-SecureString -SecureString $securepwd
"Input: "+  $pwd
"Encrypted: " + $encryptedpwd
$dec = ConvertFrom-SecureString -SecureString $securepwd -AsPlainText 
"Decrypted…