Security technologies have come a long way, but the venerable password still remains one of the most common tools used to secure data.
The passwd command lets you change the user password in Linux but it can do a lot more than that. You can lock (and unlock) users. You can make a user change the password on the next login and more.
In this tutorial, I’ll show you some useful examples of the passwd command that you may use as a sysadmin.
Practical examples of passwd command
The passwd command works on the /etc/passwd file. The changes you made are reflected here.
Where is the password stored in Linux? It is stored in encrypted form in /etc/shadow file.
Let’s see some examples of the passwd command.
1. Change your own password
To change the current user’s password i.e. your own account password, just enter the passwd command without any options.
You’ll be asked to use your current password first:
[email protected]:~$ passwd Changing password for christopher. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
If you enter your current password as the new password, the system will throw an error message saying that the password is unchanged and prompt you again for a new password.
2. Create root password
Many Linux distributions come without a root password set. The only way to access root account is through sudo or su commands. This is because a default password like ‘toor’ would make a system vulnerable to attackers.
You must be a sudo user to create root password:
sudo passwd root
Here’s the output:
[email protected]:~$ sudo passwd root [sudo] password for christopher: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
This is one of many reasons why it is critical to properly configure user access. You wouldn’t want all users to be able to change your root password!
3. Change other user’s password
You can change user password in Linux using passwd command as root or with sudo.
sudo passwd user_name
You won’t be asked for the old password obviously. You are resetting the password after all and as the admin, you should be able to do that.
[email protected]:/home/christopher# passwd christopher Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
4. Check password status
You can check the status of a user’s password like this:
sudo passwd -S user_name
Here’s an example:
[email protected]:~$ passwd -S christopher christopher P 06/13/2020 0 99999 7 -1
Let’s review this information. I will organize it into a table to make it easier to read. Then I will discuss what certain values mean.
|Username||Status||Date Last Changed||Minimum Age||Maximum Age||Warning Period||Inactivity Period|
Let’s look first at the status column. Here are the possible options for this field.
There are some special numbers reserved for setting parameters on password rules.
|Special Numbers for Age||Description|
|0||Can be changed at anytime|
Here you see that the warning period is set at 7 days, but because the inactivity period is disabled and the age is set to never expire, no warning would occur.
5. Check password status for all accounts
You may also check the password status of all users accounts on your system:
sudo passwd -Sa
6. Force user to change password at next login
You can use the -e option to expire user’s password immediately. This will force user to change the password at next login.
sudo passwd -e user_name
Here’s how the forced expiry looks like:
[email protected]:/home/christopher# passwd -e christopher passwd: password expiry information changed.
Now you can check the status to note the changes:
[email protected]:/home/christopher# passwd -S christopher christopher P 01/01/1970 0 99999 7 -1
As you can see the password set date has been changed to ’01/01/1970′. This date is historically linked to Unix systems as it’s “epoch” date. This basically means that that date is day ‘0’ (on a 32-bit scale) in the history of Unix.
You have successfully expired the password. The next time my account logs in, it will be forced to change to a different password.
7. Lock or unlock user accounts
The -l option of passwd command allows you to lock a user account in Linux:
sudo passwd -l user_name
Once you use it on a user account, the password will no longer work to grant access.
[email protected]:/home/christopher# passwd -l christopher passwd: password expiry information changed.
You can confirm the status of user password with -S option as discussed earlier. L stands for lock in the output here.
[email protected]:/home/christopher# passwd -S christopher christopher L 06/13/2020 0 99999 7 -1
Unlocking the user account is just as easy. Use the -u option to unlock the user:
[email protected]:/home/christopher# passwd -u christopher passwd: password expiry information changed.
You may confirm the status. The P in the output means usable password i.e. password can be used with the account.
[email protected]:/home/christopher# passwd -S christopher christopher P 06/13/2020 0 99999 7 -1
8. Delete password from an account and make it password-less
I don’t see any practical use case for this but you can delete password for a certain account. This way, that account won’t need password for accessing the system. This is not good for security.
sudo passwd -d user_name
You may also use the -n option to force a user to change the password in N number of days. But manually doing this is waste of time. Instead, you should properly configure your system’s password policy so that it is applicable to all user accounts.
You can always see all available options by using -h option.
I hope this tutorial was helpful in getting you started with the passwd command in Linux.
As always, we love to hear from our readers about content they’re interested in. Leave a comment below and share your thoughts with us!