[Samba] Password Policy - how to reduce password complexity

Nico Kadel-Garcia nkadel at gmail.com
Wed Mar 20 20:23:58 MDT 2013

On Sun, Mar 3, 2013 at 12:25 AM, Gregory Sloop <gregs at sloop.net> wrote:
>>> > Windows cannot set the password for XXXX because: The password does not
>>> meet the password policy requirements. Check the minimum password length,
>>> password complexity and password history requirements.
> TS> It's giving that error because you have a minimum length specified or
> TS> complexity on. If you want to change that you need to run  'samba-tool
> TS> domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you
> TS> really want to disable complexity and allow very weak passwords?
> I think best practices show that passwords that are too hard to
> remember [IMO the complexity requirement starts to get into this area]
> simply frustrate users and the result will be they write down the
> password and stick it near the computer. Then is far worse than a
> "weak" password. It's a password you can find by pulling open the top
> drawer of their desk, looking under their keyboard, or simply looking
> at the postie on the monitor.

There are trade-offs (from old security work). Too-complex passwords
tend to get used *everywhere* by the same person, and get cut and
pasted into scripts. This leads to escalation attacks, where a
password sniffed by people using HTTP for LDAP or Kerberos managed
passwords or using locally stored passwords for Subversion, chef, CVS,
or other risky tools wind up with their site-wide email and login
passwords copied or written into Wikis. (God knows I've seen that!!)

Too simple passwords get brute-force cracked, remotely, all day long
all over the world on exposed hosts, which I've been seeing for....
over 20 years, since I had to deal with the Morris Worm.

> I'd recommend something like LastPass, but that's not really
> applicable here, unless you're going to pull it off your phone or
> something.

I'm personally fond of the XKCD algorighm:


Sets of personally memorable words in plain-text, no case mixing, long
enough to have much higher entropy than the 8 character "l33tSk!z"
passwords and less likely to cause RSI or mistyping locking you out of
your account.

More information about the samba mailing list