In this article we discuss the passwd command in Linux and common password management operations involving this command such as disabling, expiring, changing, warnings etc.
Table of contents.
Linux is a multiuser system and as such requires authentication for user accounts. This is handled by user passwords. Here we discuss how to use the passwd command to perform some password management in Linux.
The syntax is as follows,
passwd [OPTIONS] [LOGIN]
You can execute commands on a test account, to create one write,
sudo adduser alice
To change the account's password we write,
$ su alice Password: $ passwd Changing password for alice. Current password: New password: Retype new password: You must choose a longer password. New password: Retype new password: The password has not been changed. New password: Retype new password: passwd: password updated successfully
The passwd command ensures that the new password is of appropriate length and a password is not the same as the one before by displaying errors when either of the conditions is not met.
- As the root user we can also change a users password as follows,
$ sudo passwd alice [sudo] password for root: New password: Retype new password: passwd: password updated successfully
- We can also use the passwd command to view user password information,
sudo passwd -S alice alice P 10/06/2030 0 99999 7 -1
From the output, we have the
- alice, this is the username of the user.
- P, this specifies the password status, it can be PS/P for password set, LK/L for locked password, NP for no password,
- 10/06/2030, this is the last date the password was changed.
- 0, the minimum number of days between password change.
- 99999, the maximum number of days between password change.
- 7, the number of days of warning before the password expires.
- -1,this specifies the number of days the user will have to change an expired password after which the password is rendered inactive. It is set to -1 to signify never.
You can also use the chage command, this is discussed in another article, the link is in the references section.
- To view password information for all users write,
sudo passwd -Sa
- We can also delete a user's password as follows,
$ sudo passwd -d alice passwd: password expiry information changed. $ su alice
If we switch accounts to alice's account you will notice there will be no prompt for a password.
We can also confirm this as follows,
$ sudo passwd -S alice alice NP 10/06/2030 0 99999 7 -1
- To lock a user's password we use the -l command,
$ sudo passwd -l alice passwd: password expiry information changed. $ su alice Password: su: Authentication failure
You can confirm this by writing,
$ sudo passwd -S alice alice L 10/06/2030 0 99999 7 -1
passwd command does this by invalidating alice's password by prepending a ! exclamation character infront of her password in the /etc/shadow file
We can confirm this by writing,
$ sudo cat /etc/shadow | grep alice alice:!$y$j9T$VdhL...
- To unlock it use the -u option,
$ sudo passwd -u alice passwd: password expiry information changed.
Confirm it as follows,
$ sudo cat /etc/shadow | grep alice alice:$y$j9T$Vd
$ sudo passwd -S alice alice P 10/06/2030 0 99999 7 -1
- We can also expire a user's password using the -e option as follows,
$ sudo passwd -e alice passwd: password expiry information changed.
Now on the next login alice will be required to change her password,
$ su alice Password: You are required to change your password immediately (administrator enforced). Changing password for alice. Current password: New password: Retype new password:
This also applies to remote ssh logins.
- We make a user's password inactive when n number of days pass from when the password expired by using the passwd command accompanied with -i option,
$ sudo passwd -i 10 alice passwd: password expiry information changed.
In this case after alice's password expires she will have 10 days to change it otherwise it will be rendered inactive and won't be able to be used to login into her account.
- The minimum number of days specifies that after a password is changed the user is not allowed to change it again until the specified days pass.
We can set it using -n option,
$ sudo passwd -n 30 alice
This means that after alice changes her password she won't be allowed to change it for another 30 days.
- The maximum number of days before password change specify the maximum number of days a user can use a password after which it is rendered inactive.
We set it by using the -x option,
$ sudo passwd -x 35 alice
This states that 35 days is the maximum number of days alice is supposed to use this password after which it will expire, we use the -w option to send warnings for her to take action.
- Warning days are used to specify the number of days a user will be warned of password expiry.
We use the -w option as follows,
$ sudo passwd -w 10 alice
Alice will be warned for 10 days about her password expiry.
You can view all this changes by writing,
$s udo passwd -S alice alice P 02/04/2022 30 35 10 10
In this article we have discussed the passwd command and how to perform various operations such as locking and unlocking a password, disabling a password, setting the maximum and minimum days for password changes, expiring a password so a user can reset it, changing current user and other users passwords, listing user password information, setting a warning period within which a user will be notified to change the current password.