I think you must patch your Solaris 10, then root is no longer exempted from the complexity rules.
man passwd on an old Solaris 10 says:
Quote:
In the files case, super-users (for instance, real and
effective uid equal to 0, see id(1M) and su(1M)) can change
any password. Hence, passwd does not prompt privileged users
for the old password. Privileged users are not forced to
comply with password aging and password construction
requirements. A privileged user can create a null password
by entering a carriage return in response to the prompt for
a new password.
While a newer Solaris 10 says
Quote:
The passwd command does not prompt authorized users for the
old password.
...
By default, even users authorized to change the password of
other users must comply with the configured password policy.
See pam_authtok_check(5).
This article suggests the change happened with Solaris 10 8/11.
BTW if you set the minimum password length to 8 then in fact you lower the security somewhat if you have
CRYPT_DEFAULT=__unix__ in /etc/security/policy.conf because it always limits the maximum password length to 8.
So you should change it to
CRYPT_DEFAULT=1 (
1 or
2a or
md5) to allow longer passwords! It also will create longer crypts in /etc/shadow, but can still understand the existing short Unix crypts.