Why is my Powershell password gnerator script including a character that is not listed?

Question

I wrote password generating script as a tool for my work. One of the websites I'm an administrator for has very specific password requirements, so I have a script just for generating passwords that this website finds acceptable.

The notable part here is there is a specific set of characters that this password cannot contain, so they have been excluded from the array of characters that is referenced to create this password. The characters that are not allowed are: < > * % & : \ ?

This is the script:

$Length = 15

$possibleCharsArray = "abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ123456789!@#$^".ToCharArray()
$repeats = 'aa|bb|cc|dd|ee|ff|gg|hh|ii|jj|kk|ll|mm|nn|oo|pp|qq|rr|ss|tt|uu|vv|ww|xx|yy|zz|11|22|33|44|55|66|77|88|99|00' # repeating characters are not allowed

$validPassword = $false

while($validPassword -eq $false){ #this block both generates the password and checks that it's valid

    $password = "" # start blank

    For($i=0;$i -lt $Length;$i++){ #create the password
        $randChar = Get-Random -InputObject $possibleCharsArray
        $password += $randChar
    }

    #checks to make sure the password contains numbers, uppercase letters, and special characters
    $containsNumbers = $password -match '[0-9]' # check to see if string contains numbers
    $containsCapLetters = $password -cmatch '[A-Z]' # check to see if string contains capital letters
    #$containsLowLetters = $password -cmatch '[a-z]' # check to see if string contains lowercase letters
    $containsSpecChars = $password -match '.*\W+.*' # check to see if string contains characters

    #checks how many of each type the password has
    $totalNums = ($password | Select-String -Pattern '[0-9]' -AllMatches).Matches.Count # this is to make sure there aren't too many numbers
    $totalCaps = [regex]::Matches($password,'[A-Z]').Count # this is to make sure there aren't too many capital letters
    $totalChars = ($password | Select-String -Pattern '[!@#$^]' -AllMatches).Matches.Count # this is to make sure there aren't too many special characters

    #if the password has all 3 mandatory character types, doesn't have too many of each character type, and doesn't contain any repeating characters, the password is valid and gets generated.
    if(($containsNumbers -and $containsCapLetters -and $containsSpecChars) -and (($totalNums -le 2) -and ($totalCaps -le 2) -and ($totalChars -le 2)) -and ($password -notmatch $repeats)){
        $validPassword = $true
    }
}

Write-Host "The new password is:`t $password"

And this is a screenshot of the result of multiple uses of the script (my username and part of the script name is censored for privacy) Powershell output results

What I expect to happen is for this script to generate a password that consists of characters from $possibleCharsArray without any repeats (I know the special characters are not listed in the $repeats array, I'm still working on that part) and without too many numbers, capital letters, or special characters. What keeps happening is the script is generating passwords that contain the \ character, sometimes more than once. I have no idea where it could be coming from.

I recognize that maybe I could just add another check to see if the \ character is included, and if so to re-generate the password again, but I'm so baffled by the random inclusion of the \ character that I wanted to see if anyone could provide any insight.

Answer 1

In order to store a string value to be used verbatim, i.e. without expansion (string interpolation), use a verbatim string (single-quoted, i.e. '...'), not, as you did, a "..." string, i.e. an expandable (interpolating) string

Specifically, inside "...", $-prefixed tokens are subject to expansion, and in your case $^ was interpreted as the automatic $^ variable, which expands to the first token of whatever command line was most recently submitted interactively (which may therefore situationally contain \).

# Note the use of '...' to avoid expansion of substrings such as $^
$possibleCharsArray = 'abcdefghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ123456789!@#$^'.ToCharArray()