On Sun, Mar 3, 2013 at 12:25 AM, Gregory Sloop <gr...@sloop.net> wrote: > >>> >>> > Windows cannot set the password for XXXX because: The password does not >>> meet the password policy requirements. Check the minimum password length, >>> password complexity and password history requirements. > > > TS> It's giving that error because you have a minimum length specified or > TS> complexity on. If you want to change that you need to run 'samba-tool > TS> domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you > TS> really want to disable complexity and allow very weak passwords? > > I think best practices show that passwords that are too hard to > remember [IMO the complexity requirement starts to get into this area] > simply frustrate users and the result will be they write down the > password and stick it near the computer. Then is far worse than a > "weak" password. It's a password you can find by pulling open the top > drawer of their desk, looking under their keyboard, or simply looking > at the postie on the monitor.
There are trade-offs (from old security work). Too-complex passwords tend to get used *everywhere* by the same person, and get cut and pasted into scripts. This leads to escalation attacks, where a password sniffed by people using HTTP for LDAP or Kerberos managed passwords or using locally stored passwords for Subversion, chef, CVS, or other risky tools wind up with their site-wide email and login passwords copied or written into Wikis. (God knows I've seen that!!) Too simple passwords get brute-force cracked, remotely, all day long all over the world on exposed hosts, which I've been seeing for.... over 20 years, since I had to deal with the Morris Worm. > I'd recommend something like LastPass, but that's not really > applicable here, unless you're going to pull it off your phone or > something. I'm personally fond of the XKCD algorighm: http://xkcd.com/936/ Sets of personally memorable words in plain-text, no case mixing, long enough to have much higher entropy than the 8 character "l33tSk!z" passwords and less likely to cause RSI or mistyping locking you out of your account. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba