Couple of commands which help in finding passwords on a Windows based machine:

Wifi Passwords:

This command can be helpful during an assessment because it gives insight into how a device connects to different Wi-Fi networks. By looking at the networks a device has saved, you can sometimes discover other internal or guest networks the device uses, which may show pathways an attacker could move through if the device were compromised. 

netsh wlan show profiles | Select-String "All User Profile" | ForEach-Object { ($_.ToString().Split(":")[1].Trim()) } | ForEach-Object { Write-Host "`nProfile: $_" -ForegroundColor Cyan; (netsh wlan show profile name="$_" key=clear | Select-String "Key Content") -replace '.*:','Password: ' }

Searching the registry for stored passwords:

Get-ChildItem -Path HKLM:\, HKCU:\ -Recurse -ErrorAction SilentlyContinue | Get-ItemProperty -ErrorAction SilentlyContinue | Where-Object { $_ -match "password" }

Files that might contain passwords - starting at c:\

Get-ChildItem -Path C:\ -Include *.txt,*.xml,*.ini,*.config,*.bat -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password", "pwd", "pass" | Select Path, LineNumber, Line

Autologin at Registry

If automatic logon is configured, DefaultPassword will appear in plaintext, which is a security risk. This command is essentially showing whether Windows is set to automatically log in and, if so, with what credentials.

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Select-Object DefaultUsername, DefaultPassword, AutoAdminLogon

This one is exclusive to passwords, however its still a helpful command to have in your toolkit.  The following command can be used to look at the PowerShell history of all users or any users you are able to read if you are not an administrator.