Commands

How to Handle Account Passwords in Linux With passwd Command

The passwd command in Linux allows you to change user password, lock accounts, expire passwords and more. Learn how to use the passwd command with practical examples.

Christopher Murray
Christopher Murray

Table of Contents

Security technologies have come a long way, but the venerable password still remains one of the most common tools used to secure data.

The passwd command lets you change the user password in Linux but it can do a lot more than that. You can lock (and unlock) users. You can make a user change the password on the next login and more.

In this tutorial, I’ll show you some useful examples of the passwd command that you may use as a sysadmin.

Practical examples of passwd command

passwd command

The passwd command works on the /etc/passwd file. The changes you made are reflected here.

Where is the password stored in Linux? It is stored in encrypted form in /etc/shadow file.

Let’s see some examples of the passwd command.

1. Change your own password

To change the current user’s password i.e. your own account password, just enter the passwd command without any options.

passwd

You’ll be asked to use your current password first:

[email protected]:~$ passwd
Changing password for christopher.
(current) UNIX password: 
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

If you enter your current password as the new password, the system will throw an error message saying that the password is unchanged and prompt you again for a new password.

2. Create root password

Many Linux distributions come without a root password set. The only way to access root account is through sudo or su commands. This is because a default password like ‘toor’ would make a system vulnerable to attackers.

You must be a sudo user to create root password:

sudo passwd root

Here’s the output:

[email protected]:~$ sudo passwd root
[sudo] password for christopher:             
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

This is one of many reasons why it is critical to properly configure user access. You wouldn’t want all users to be able to change your root password!

3. Change other user’s password

You can change user password in Linux using passwd command as root or with sudo.

sudo passwd user_name

You won’t be asked for the old password obviously. You are resetting the password after all and as the admin, you should be able to do that.

[email protected]:/home/christopher# passwd christopher
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

4. Check password status

You can check the status of a user’s password like this:

sudo passwd -S user_name

Here’s an example:

[email protected]:~$ passwd -S christopher
christopher P 06/13/2020 0 99999 7 -1

Let’s review this information. I will organize it into a table to make it easier to read. Then I will discuss what certain values mean.

Username Status Date Last Changed Minimum Age Maximum Age Warning Period Inactivity Period
christopher P 06/13/2020 0 99999 7 -1

Let’s look first at the status column. Here are the possible options for this field.

Status Description
P Usable password
NP No password
L Locked password

There are some special numbers reserved for setting parameters on password rules.

Special Numbers for Age Description
9999 Never expires
0 Can be changed at anytime
-1 Not active

Here you see that the warning period is set at 7 days, but because the inactivity period is disabled and the age is set to never expire, no warning would occur.

5. Check password status for all accounts

You may also check the password status of all users accounts on your system:

sudo passwd -Sa

6. Force user to change password at next login

You can use the -e option to expire user’s password immediately. This will force user to change the password at next login.

sudo passwd -e user_name

Here’s how the forced expiry looks like:

[email protected]:/home/christopher# passwd -e christopher
passwd: password expiry information changed.

Now you can check the status to note the changes:

[email protected]:/home/christopher# passwd -S christopher
christopher P 01/01/1970 0 99999 7 -1

As you can see the password set date has been changed to ’01/01/1970′. This date is historically linked to Unix systems as it’s “epoch” date. This basically means that that date is day ‘0’ (on a 32-bit scale) in the history of Unix.

You have successfully expired the password. The next time my account logs in, it will be forced to change to a different password.

7. Lock or unlock user accounts

The -l option of passwd command allows you to lock a user account in Linux:

sudo passwd -l user_name

Once you use it on a user account, the password will no longer work to grant access.

[email protected]:/home/christopher# passwd -l christopher
passwd: password expiry information changed.

You can confirm the status of user password with -S option as discussed earlier. L stands for lock in the output here.

[email protected]:/home/christopher# passwd -S christopher
christopher L 06/13/2020 0 99999 7 -1

Unlocking the user account is just as easy. Use the -u option to unlock the user:

[email protected]:/home/christopher# passwd -u christopher
passwd: password expiry information changed.

You may confirm the status. The P in the output means usable password i.e. password can be used with the account.

[email protected]:/home/christopher# passwd -S christopher
christopher P 06/13/2020 0 99999 7 -1

8. Delete password from an account and make it password-less

I don’t see any practical use case for this but you can delete password for a certain account. This way, that account won’t need password for accessing the system. This is not good for security.

sudo passwd -d user_name

Conclusion

You may also use the -n option to force a user to change the password in N number of days. But manually doing this is waste of time. Instead, you should properly configure your system’s password policy so that it is applicable to all user accounts.

You can always see all available options by using -h option.

I hope this tutorial was helpful in getting you started with the passwd command in Linux.

As always, we love to hear from our readers about content they’re interested in. Leave a comment below and share your thoughts with us!



Join the conversation.