[Samba] Password Policy - how to reduce password complexity

[Immo Wetzel]

HI,,

im really new with samba 4. Great work. Thanks to the team.

But right now a question I havent solved form the faq.
Can I use the Group Policy - Computer - Account - Password Policy
to restrict the password complexity ? It seems not. I use the Windows 7 remote Admin tools to write a valid policy but it seems its not activated or used.

elkberry
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Thomas Simmons]

On Sat, Mar 2, 2013 at 3:55 PM, Immo Wetzel <iwe...@gmx.net> wrote:

> HI,,
>
> im really new with samba 4. Great work. Thanks to the team.
>
> But right now a question I havent solved form the faq.
> Can I use the Group Policy - Computer - Account - Password Policy
> to restrict the password complexity ? It seems not. I use the Windows 7
> remote Admin tools to write a valid policy but it seems its not activated
> or used.
>
> elkberry
>

> This is done on the DC with the command 'samba-tool domain
passwordsettings'.

[Thomas Simmons]

On Sat, Mar 2, 2013 at 4:51 PM, Immo Wetzel <iwe...@gmx.net> wrote:

> A bit more clear.
>
> Windows says
>
> > Windows cannot set the password for XXXX because: The password does not
> meet the password policy requirements. Check the minimum password length,
> password complexity and password history requirements.


It's giving that error because you have a minimum length specified or
complexity on. If you want to change that you need to run 'samba-tool
domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you
really want to disable complexity and allow very weak passwords?


>
> ----- Ursprüngliche Nachricht -----
>
> Von: Thomas Simmons
>
> Gesendet: 02.03.13 22:20 Uhr
>
> An: Immo Wetzel
>
> Betreff: Re: [Samba] Password Policy - how to reduce password complexity

>
> On Sat, Mar 2, 2013 at 3:55 PM, Immo Wetzel <iwe...@gmx.net> wrote:
>
>> HI,,
>>
>> im really new with samba 4. Great work. Thanks to the team.
>>
>> But right now a question I havent solved form the faq.
>> Can I use the Group Policy - Computer - Account - Password Policy
>> to restrict the password complexity ? It seems not. I use the Windows 7
>> remote Admin tools to write a valid policy but it seems its not activated
>> or used.
>>
>> elkberry
>>
>
> This is done on the DC with the command 'samba-tool domain
> passwordsettings'.
>
>
>

> elkberry

[Gregory Sloop]

>>
>> > Windows cannot set the password for XXXX because: The password does not
>> meet the password policy requirements. Check the minimum password length,
>> password complexity and password history requirements.

TS> It's giving that error because you have a minimum length specified or
TS> complexity on. If you want to change that you need to run 'samba-tool
TS> domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you
TS> really want to disable complexity and allow very weak passwords?

I think best practices show that passwords that are too hard to
remember [IMO the complexity requirement starts to get into this area]
simply frustrate users and the result will be they write down the
password and stick it near the computer. Then is far worse than a
"weak" password. It's a password you can find by pulling open the top
drawer of their desk, looking under their keyboard, or simply looking
at the postie on the monitor.

I'd recommend something like LastPass, but that's not really
applicable here, unless you're going to pull it off your phone or
something.

IMO, for most of my mid-to-smaller clients, I disable password
complexity requirements. I also disable the "can't reuse passwords for
4675 years. (sarcasm)"

I've tended to simply generate passwords for each user and provide
them with a copy. We pick multiple quasi-words with some numbers and
simply live with some decreased security. [If the attacker can hit
your authenticator db with millions of guesses, on or off-line, the
game's probably over anyway.]

I'm sure that doesn't work for everyone - but a good admin should know
when and where to require higher security passwords and when not to.
If the admin doesn't know this - then they'll make a myriad of other
mistakes, so that high password complexity requirement will largely be
useless. [i.e. A high security lock in a styrofoam door.]

So, I guess I'd summarize this as: If high complexity passwords are
appropriate for your site, use them. If not, don't feel particularly
bad about not using them.

-Greg

[Neal Murphy]

On Sunday, March 03, 2013 12:25:49 AM Gregory Sloop wrote:

> IMO, for most of my mid-to-smaller clients, I disable password
> complexity requirements. I also disable the "can't reuse passwords for
> 4675 years. (sarcasm)"

I take this one step further for small offices--without IT staff--where pretty
much everyone knows everyone's business. *I* dream up mnemonic passwords based
on what they do and what the business does. Staff members easily remember the
passwords and the business admin keeps the list in an inaccessible location in
a password-protected spreadsheet along with all the internet passwords they
use to purchase equipment and supplies and renew licenses. The main benefits:

- They use reasonably strong passwords
- They remember the passwords
- I can log in as them when they have access problems
- When someone leaves, needed internet accounts are continued with a
mere email/name/password change

I periodically change all the passwords, but not frequently. Staff have better
things to do than having to memorize a new password whenever they sneeze.

I also put wireless outside the firewalled office LAN and require employees to
use openVPN to access the protected LAN from wireless or internet (they're
really the same). But I digress.

[Nico Kadel-Garcia]

On Sun, Mar 3, 2013 at 12:25 AM, Gregory Sloop <gr...@sloop.net> wrote:
>
>>>
>>> > Windows cannot set the password for XXXX because: The password does not
>>> meet the password policy requirements. Check the minimum password length,
>>> password complexity and password history requirements.
>
>
> TS> It's giving that error because you have a minimum length specified or
> TS> complexity on. If you want to change that you need to run 'samba-tool
> TS> domain passwordsettings set --min-pwd-length=1 --complexity=off'. Do you
> TS> really want to disable complexity and allow very weak passwords?
>
> I think best practices show that passwords that are too hard to
> remember [IMO the complexity requirement starts to get into this area]
> simply frustrate users and the result will be they write down the
> password and stick it near the computer. Then is far worse than a
> "weak" password. It's a password you can find by pulling open the top
> drawer of their desk, looking under their keyboard, or simply looking
> at the postie on the monitor.

There are trade-offs (from old security work). Too-complex passwords
tend to get used *everywhere* by the same person, and get cut and
pasted into scripts. This leads to escalation attacks, where a
password sniffed by people using HTTP for LDAP or Kerberos managed
passwords or using locally stored passwords for Subversion, chef, CVS,
or other risky tools wind up with their site-wide email and login
passwords copied or written into Wikis. (God knows I've seen that!!)

Too simple passwords get brute-force cracked, remotely, all day long
all over the world on exposed hosts, which I've been seeing for....
over 20 years, since I had to deal with the Morris Worm.

> I'd recommend something like LastPass, but that's not really
> applicable here, unless you're going to pull it off your phone or
> something.

I'm personally fond of the XKCD algorighm:

http://xkcd.com/936/

Sets of personally memorable words in plain-text, no case mixing, long
enough to have much higher entropy than the 8 character "l33tSk!z"
passwords and less likely to cause RSI or mistyping locking you out of
your account.