When it comes to user accounts, the passwd utility is one that will see a lot of use. As you can guess from the name, it helps you manage account passwords on the system. It also gives you easy access to managing your own password and passwords for other users if you have root or sudo privileges.
How to use passwd
The syntax of passwd is simple:
passwd [OPTIONS] [USERNAME]
OPTIONS is used to provide the accepted options and is optional. USERNAME is the username you want to perform the actions on if you’re a root user or have sudo permissions. This is optional.
To see all the options available, just use the option -? (or on some systems -h) or –help. This will give you a list like the following:
Usage: passwd [OPTION...] <accountName> -k, --keep-tokens keep non-expired authentication tokens -d, --delete delete the password for the named account (root only); also removes password lock if any -l, --lock lock the password for the named account (root only) -u, --unlock unlock the password for the named account (root only) -e, --expire expire the password for the named account (root only) -f, --force force operation -x, --maximum=DAYS maximum password lifetime (root only) -n, --minimum=DAYS minimum password lifetime (root only) -w, --warning=DAYS number of days warning users receives before password expiration (root only) -i, --inactive=DAYS number of days after password expiration when an account becomes disabled (root only) -S, --status report password status on the named account (root only) --stdin read new tokens from stdin (root only) Help options: -?, --help Show this help message --usage Display brief usage message
Change the current user password
The most common use for passwd is to change your current password. You can change your own password without any extra permissions. All you need to do is run the passwd command and you will see the following:
$ passwd Changing password for travis. Current password: New password: Retype new password: passwd: all authentication tokens updated successfully.
The passwd command will also check the password strength in the background and will warn you against any passwords in known dictionary attacks. For example, you may see
BAD PASSWORD: The password fails the dictionary check – it is based on a dictionary word when providing a “strong” password. But this password was discovered in a password leak. You may also get a message like
BAD PASSWORD: The password fails the dictionary check – it is too simplistic/systematic which means that the password is too simple or includes patterns – something like apple, 123, 123456, 111111, etc.
Change another user’s password
If another system user forgets their password or it needs to be changed for any reason, if you have root or sudo privilege, you can change the passwords by running the command:
sudo passwd george
Display password information
If you want to view information about a password (you can’t actually see the password as it is encrypted), such as when it was set, minimum days before it can be changed, etc. then you can use -S or –status option.
sudo passwd -S travis
travis PS 2022-07-13 0 99999 7 -1 (Password set, SHA512 crypt.)
Remove user password
If you want to prevent a user from accessing a system from the local system or SSH with a password, you can remove it with:
sudo passwd -d george
Expire user password immediately
If you need to force a password change on a user, you can use the following:
sudo passwd -e george
If you want to prevent a user from logging in or if you want to make their account available again, you can use the following commands which will lock and unlock their account, respectively.
sudo passwd -l george
sudo passwd -u george
Lock account after inactive days
Another handy feature is the ability to lock user accounts that don’t login after so many days. As long as the account is logged into before the inactive days count, the counter resets.
sudo passwd -i 30 george
This will lock the account “george” if it is not logged into at least once every 30 days.
Set minimum days to change password
We can also set the minimum number of days before a forced password change.
sudo passwd -n 90 george
Provide a password expiry warning days before password expires
If you want to provide users a warning a certain number of days before their password expires, you can use the following command.
sudo passwd -w 7 george