Managing Linux Passwords with passwd

Photo by regularguy.eth on Unsplash

When it comes to user accounts, the passwd utility is one that will see a lot of use. As you can guess from the name, it helps you manage account passwords on the system. It also gives you easy access to managing your own password and passwords for other users if you have root or sudo privileges.

How to use passwd

The syntax of passwd is simple:

passwd [OPTIONS] [USERNAME]

OPTIONS is used to provide the accepted options and is optional. USERNAME is the username you want to perform the actions on if you’re a root user or have sudo permissions. This is optional.

To see all the options available, just use the option -? (or on some systems -h) or –help. This will give you a list like the following:

Usage: passwd [OPTION...] <accountName>
-k, --keep-tokens keep non-expired authentication tokens
-d, --delete delete the password for the named account (root only); also removes password lock if any
-l, --lock lock the password for the named account (root only)
-u, --unlock unlock the password for the named account (root only)
-e, --expire expire the password for the named account (root only)
-f, --force force operation
-x, --maximum=DAYS maximum password lifetime (root only)
-n, --minimum=DAYS minimum password lifetime (root only)
-w, --warning=DAYS number of days warning users receives before password expiration (root only)
-i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only)
-S, --status report password status on the named account (root only)
--stdin read new tokens from stdin (root only)

Help options:
-?, --help Show this help message
--usage Display brief usage message

Change the current user password

The most common use for passwd is to change your current password. You can change your own password without any extra permissions. All you need to do is run the passwd command and you will see the following:

$ passwd
Changing password for travis.
Current password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

The passwd command will also check the password strength in the background and will warn you against any passwords in known dictionary attacks. For example, you may see BAD PASSWORD: The password fails the dictionary check – it is based on a dictionary word when providing a “strong” password. But this password was discovered in a password leak. You may also get a message like BAD PASSWORD: The password fails the dictionary check – it is too simplistic/systematic which means that the password is too simple or includes patterns – something like apple, 123, 123456, 111111, etc.

Change another user’s password

If another system user forgets their password or it needs to be changed for any reason, if you have root or sudo privilege, you can change the passwords by running the command:

sudo passwd george

Display password information

If you want to view information about a password (you can’t actually see the password as it is encrypted), such as when it was set, minimum days before it can be changed, etc. then you can use -S or –status option.

Some distros may require you to run this with root or sudo privileges.

sudo passwd -S travis

will return

travis PS 2022-07-13 0 99999 7 -1 (Password set, SHA512 crypt.)

Remove user password

If you want to prevent a user from accessing a system from the local system or SSH with a password, you can remove it with:

sudo passwd -d george

Expire user password immediately

If you need to force a password change on a user, you can use the following:

sudo passwd -e george

Lock/unlock account

If you want to prevent a user from logging in or if you want to make their account available again, you can use the following commands which will lock and unlock their account, respectively.

sudo passwd -l george
sudo passwd -u george

Lock account after inactive days

Another handy feature is the ability to lock user accounts that don’t login after so many days. As long as the account is logged into before the inactive days count, the counter resets.

sudo passwd -i 30 george

This will lock the account “george” if it is not logged into at least once every 30 days.

Set minimum days to change password

We can also set the minimum number of days before a forced password change.

sudo passwd -n 90 george

Provide a password expiry warning days before password expires

If you want to provide users a warning a certain number of days before their password expires, you can use the following command.

sudo passwd -w 7 george

Leave a Comment