Among the plethora of commands available in Linux, the passwd
command stands out as a fundamental tool. Its primary function is to change the password associated with a user account, which is crucial for maintaining security and user authentication in a Linux environment.
Moreover, the passwd
command also provides additional advanced features essential in every Linux system administrator’s toolkit. Here’s a brief overview of its capabilities:
- Changing Passwords: The most common use of the
passwd
command is to change the password of the user’s account. Users can change their password, and root users (administrators) can change the password for any account. - Setting Password Policies: It can also be used to set password aging policies, determining how often passwords must be changed and when they expire.
- Locking and Unlocking User Accounts: The
passwd
command can lock and unlock user accounts. Locking an account prevents the user from logging in, which can be helpful for administrative purposes or security measures. - Displaying Password Information: It can display information about the user’s password, such as the last time it was changed and the password expiration date.
From basic password changes to more advanced features like password aging and locking accounts, this guide aims to equip you with the knowledge and skills to manage user passwords effectively, enhancing your system’s security.
Necessary clarification before we start! Remember, you can only manage your password as a regular user. At the same time, the root user and users with sudo privileges can manage other users’ passwords and define how the password can be used.
For information on how to add your user to the “sudo” group, consult our guide here.
In addition, if you have forgotten the root password, our easy-to-follow guide “How to Reset a Forgotten Root Password in Linux” provides simple and quick steps to help you easily change it.
Tips for a Strong Password
Creating a strong password is crucial for protecting your account and personal information. Here are some general tips to help you create effective, secure passwords:
- Length Matters: Aim for at least 12 characters. Longer passwords are harder for hackers to crack.
- Mix It Up: Use a mix of uppercase and lowercase letters, numbers, and symbols.
- Avoid Common Words: Avoid using easily guessable information like birthdays or common words.
- Use Passphrases: Consider a passphrase – a sequence of words or a sentence. It can be easier to remember and harder to crack.
How to Change Your Password
In Linux, any user can change their password at any time. To change your own user’s account password, run the passwd
command without any arguments:
passwd
Upon entering this command, the system will prompt you to verify your current password. Then, if your password is correct, the command will prompt you to enter and confirm your new password. This step ensures that you haven’t made any typing errors.
Once you’ve successfully entered your new password twice, the system will update your password, and you’ll see a confirmation message indicating that the password has been successfully changed.
How to Change Another User’s Password
While it’s commonly used for changing one’s password, the passwd
command also allows administrators to change other users’ passwords.
So, if you are a system administrator with many users, there will come a time when a user forgets their password, and you or someone with sudo
privileges will be required to reset their password.
For example, to change the password of a user named “james,” type passwd
followed by the username of the account whose password you want to change, in our case, “james.”
sudo passwd james
As you have probably noticed, when changing your password, you are prompted for the current one. However, in this case, we are only required to enter and verify the new password for the user without needing the existing one.
In other words, the passwd command will not ask you for the old password since you perform as the user with sudo privileges. So, you can change any user’s passwords without knowing the old ones.
How to Force User to Change Password in Linux
By default, in Linux, passwords are set never to expire. So, aside from setting or changing a user’s password, the passwd
command can force the user to change their password the next time they log in.
For this to happen, the password must first be marked as expired. This can be achieved by using the -e
(--expire
) option with the passwd
command, followed by the username for which we want to mark the password as expired.
For example, to change the password as expired for a user named “james“, use the following command:
sudo passwd -e james
Next, with the help of the chage
command, we can verify the user james’ password expiration. Finally, the chage
command views and changes the user password expiry information.
sudo chage -l james
As you can see from the above output, the user password needs to be changed. Therefore, when user “james” tries to log in again, he will be prompted to change his password before he can access a shell, as shown in the following screen:
How to Remove User Password in Linux
To make a user account passwordless, use the -d
(--delete
) option with the passwd
command. This is a quick way to disable a password for an account.
For example, type the following command to remove the user password of a user called “james“:
sudo passwd -d james
The command above deletes a user’s password (make it empty). Although this is possible, and you can have an account without a password, it’s not advised because anyone can only type in the account username to access the system.
As you can see, the system no longer requires a password for authentication for the user “james.”
How to Disable User Password in Linux
You can stop users from logging in by locking the account’s password. Use the passwd
command with the -l
(--lock
) option added, followed by the username.
sudo passwd -l james
The -l
option disables a password by changing it to a value that matches no possible encrypted value. As a result, the user will be unable to log in.
So, when the user “james” next tries to log in, their password is rejected, and they receive an authentication error.
Of course, if the user “james” authenticates through a passwordless SSH connection based on public/private key exchange, disabling the password will not stop his access to the system.
So it’s also a good idea, in addition, to set the user shell to “nologin” to avoid security issues:
sudo usermod -s /usr/sbin/nologin james
You can use the -u
(--unlock
) switch to unlock the user “james” account.
sudo passwd -u james
Then reset its login shell back to “/bin/bash“.
sudo usermod -s /bin/bash james
Check the Status of a User’s Password
When it comes to audits and housekeeping, checking the status of a user’s password is a valuable tool for system administrators.
So let’s check the status of a user’s password for the user “james.” First, open a terminal and run the passwd
command with the -S
(--status
) switch.
sudo passwd -S james
As you can see, the status information consists of seven fields. So, let’s break them down one by one.
- The first field is the user’s login name.
- The second field indicates if the user account has a locked password (L), no password (NP), or a usable password (P).
- The third field gives the date of the last password change.
- The fourth field is the minimum password lifetime days before it may be changed.
- The fifth field is the maximum password lifetime days before it must be changed.
- The sixth field is the number of days before the password lifetime expires when the user will start receiving warnings.
- The seventh field is the days after the password lifetime expires when the user is disabled.
Additionally, the -Sa
switch is helpful if you want to list the password status for all users.
sudo passwd -Sa
We can see all of the users on our Linux machine here, but the three real users are “root,” “linuxiac,” and “james.”
Conclusion
The passwd
command in Linux is an indispensable tool for effective security management. Through this article, we have explored its various functionalities and demonstrated how to use them effectively.
You’ve learned how to change, remove, or disable a user’s password in Linux. Moreover, now you know how to check the status of a user’s password. The guidance given here should work with any Linux distro.
You can head to the command’s man page for more detailed information about the passwd
command in Linux.