cloudfoundry · Alphasite · Apr 17, 2026 · Apr 16, 2026
diff --git a/stembuild/stemcell-automation/AutomationHelpers.Tests.ps1 b/stembuild/stemcell-automation/AutomationHelpers.Tests.ps1
@@ -518,21 +518,12 @@ Describe "AutomationHelpers" {
     }
 
     Describe "GenerateRandomPassword" {
-        BeforeEach {
-            Mock -ModuleName AutomationHelpers -CommandName Get-Random { "changeMe123!".ToCharArray() }
-        }
-
         It "generates a valid password" {
-            Mock -ModuleName AutomationHelpers -CommandName Valid-Password { $True }
-
             $result = ""
             { GenerateRandomPassword | Set-Variable -Name "result" -Scope 1 } | Should -Not -Throw
-            $result | Should -BeExactly "changeMe123!"
-
-            Should -Invoke -ModuleName AutomationHelpers -CommandName Get-Random -Times 1
-            Should -Invoke -ModuleName AutomationHelpers -CommandName Valid-Password -Times 1 -ParameterFilter {
-                $Password -eq "changeMe123!"
-            }
+            $result.Length | Should -Be 24
+            Valid-Password -Password $result | Should -Be $True
+
             Should -Invoke -ModuleName AutomationHelpers -CommandName Write-Log -Times 1 -ParameterFilter {
                 $Message -eq "Successfully generated password"
             }
@@ -543,14 +534,18 @@ Describe "AutomationHelpers" {
 
             { GenerateRandomPassword } | Should -Throw "Unable to generate a valid password after 200 attempts"
 
-            Should -Invoke -ModuleName AutomationHelpers -CommandName Get-Random -Times 200
-            Should -Invoke -ModuleName AutomationHelpers -CommandName Valid-Password -Times 200 -ParameterFilter {
-                $Password -eq "changeMe123!"
-            }
+            Should -Invoke -ModuleName AutomationHelpers -CommandName Valid-Password -Times 200
             Should -Invoke -ModuleName AutomationHelpers -CommandName Write-Log -Times 1 -ParameterFilter {
                 $Message -eq "Failed to generate password after 200 attempts"
             }
         }
+
+        It "generates unique passwords on subsequent calls" {
+            $passwordOne = GenerateRandomPassword
+            $passwordTwo = GenerateRandomPassword
+
+            $passwordOne | Should -Not -BeExactly $passwordTwo
+        }
     }
 
     Describe "Valid-Password" {

diff --git a/stembuild/stemcell-automation/AutomationHelpers.psm1 b/stembuild/stemcell-automation/AutomationHelpers.psm1
@@ -275,17 +275,25 @@ function GenerateRandomPassword
     $limit = 200
     $count = 0
 
-    while ($limit-- -gt 0)
-    {
-        $passwd = (Get-Random -InputObject $CharList -Count 24) -join ''
-        if (Valid-Password -Password $passwd)
+    $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
+    $bytes = New-Object byte[] 24
+
+    try {
+        while ($limit-- -gt 0)
         {
-            Write-Log "Successfully generated password"
-            return $passwd
+            $rng.GetBytes($bytes)
+            $passwd = ($bytes | ForEach-Object { $CharList[$_ % $CharList.Length] }) -join ''
+            if (Valid-Password -Password $passwd)
+            {
+                Write-Log "Successfully generated password"
+                return $passwd
+            }
         }
+        Write-Log "Failed to generate password after 200 attempts"
+        throw "Unable to generate a valid password after 200 attempts"
+    } finally {
+        $rng.Dispose()
     }
-    Write-Log "Failed to generate password after 200 attempts"
-    throw "Unable to generate a valid password after 200 attempts"
 }
 
 function SysprepVM