Also don't let him sucker you into the inferior debate. The simple truth is linux allows users to have a shorter password (with a little modification). With windows you need to increase the password length to include the linux salt + password length to have the same or better protection. However, if that isn't good enough they can simply replace either the Gina or the crypto provider.
But to say Windows is inferior in allowing the password to be shorter...whoopdie do. When linux catches up on the user experience then they can talk about having something better for the user. A shorter password isn't worth changing platforms.
And you completely miss the point. In the industry is the concept of an acceptable password. It varies, but it's usually between 8-12 characters, no dictionary, varying amount of numbers and symbols required. Passwords outside this wherever there is a password policy are rare, if not non-existant (I've never seen them). Windows and Linux have very easy methods to enforce this, even network-wide.
So the point is that the decent passwords are breakable on Windows, but not on Linux. Pretty severe passwords (stronger than any password policy I've seen, even in a classified environment) are breakable on Windows. A Rainbow Crack for Linux would say "only breaks up to six-character passwords" and most of us would consider that to be mostly useless. We can maybe hope to grab a few passwords on home machines with no known probability of success. Meanwhile, Rainbow Crack can crack 99.9%+ of Windows passwords in use today.
These are simple facts, not that difficult really.