[Samba] Password Policy - how to reduce password complexity

Gregory Sloop gregs at sloop.net
Sat Mar 2 22:25:49 MST 2013

>> > Windows cannot set the password for XXXX because: The password does not
>> meet the password policy requirements. Check the minimum password length,
>> password complexity and password history requirements.

TS> It's giving that error because you have a minimum length specified or
TS> complexity on. If you want to change that you need to run  'samba-tool
TS> domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you
TS> really want to disable complexity and allow very weak passwords?

I think best practices show that passwords that are too hard to
remember [IMO the complexity requirement starts to get into this area]
simply frustrate users and the result will be they write down the
password and stick it near the computer. Then is far worse than a
"weak" password. It's a password you can find by pulling open the top
drawer of their desk, looking under their keyboard, or simply looking
at the postie on the monitor.

I'd recommend something like LastPass, but that's not really
applicable here, unless you're going to pull it off your phone or

IMO, for most of my mid-to-smaller clients, I disable password
complexity requirements. I also disable the "can't reuse passwords for
4675 years. (sarcasm)"

I've tended to simply generate passwords for each user and provide
them with a copy. We pick multiple quasi-words with some numbers and
simply live with some decreased security. [If the attacker can hit
your authenticator db with millions of guesses, on or off-line, the
game's probably over anyway.]

I'm sure that doesn't work for everyone - but a good admin should know
when and where to require higher security passwords and when not to.
If the admin doesn't know this - then they'll make a myriad of other
mistakes, so that high password complexity requirement will largely be
useless. [i.e. A high security lock in a styrofoam door.]

So, I guess I'd summarize this as: If high complexity passwords are
appropriate for your site, use them. If not, don't feel particularly
bad about not using them.


More information about the samba mailing list