Complete Guide to passwd Command: Change User Passwords

Master the passwd command for secure password management in Unix-like systems. Learn syntax, options, and best practices for administrators.

Author:

Published:

Category: System Administration

Reading Time: 9

Change User Passwords with passwd

Overview

The passwd command is a fundamental system administration tool in Unix-like operating systems that allows users and administrators to change passwords for user accounts. This command provides a secure and standardized way to modify authentication credentials while enforcing password policies and maintaining system security.

Command Syntax

`bash passwd [options] [username] `

Basic Usage

Changing Your Own Password

When executed without any arguments, passwd changes the password for the current user:

`bash passwd `

The system will prompt for the current password, followed by the new password twice for confirmation.

Changing Another User's Password (Root/Administrator)

System administrators with root privileges can change passwords for other users:

`bash passwd username `

For example: `bash passwd john passwd alice passwd webserver `

Command Options and Flags

| Option | Long Form | Description | |--------|-----------|-------------| | -l | --lock | Lock the specified user account | | -u | --unlock | Unlock the specified user account | | -d | --delete | Delete the password for the named account | | -e | --expire | Force the user to change password on next login | | -n | --minimum | Set minimum number of days between password changes | | -x | --maximum | Set maximum number of days password is valid | | -w | --warning | Set number of days warning before password expires | | -i | --inactive | Set number of days after password expires until account is disabled | | -S | --status | Display account status information | | -q | --quiet | Quiet mode, suppress non-essential messages | | -r | --repository | Change password in specified repository | | -R | --root | Apply changes in the chroot directory |

Detailed Command Examples

Basic Password Change Operations

#### Change Current User Password `bash passwd ` Output: ` Changing password for user john. Current password: New password: Retype new password: passwd: password updated successfully `

#### Change Another User's Password (Root Only) `bash sudo passwd alice ` Output: ` Changing password for user alice. New password: Retype new password: passwd: password updated successfully `

Account Management Operations

#### Lock User Account `bash sudo passwd -l username ` Example: `bash sudo passwd -l testuser passwd: password expiry information changed. `

#### Unlock User Account `bash sudo passwd -u username ` Example: `bash sudo passwd -u testuser passwd: password expiry information changed. `

#### Delete User Password `bash sudo passwd -d username ` Example: `bash sudo passwd -d guestuser passwd: password expiry information changed. `

#### Force Password Change on Next Login `bash sudo passwd -e username ` Example: `bash sudo passwd -e newemployee passwd: password expiry information changed. `

Password Aging Configuration

#### Set Minimum Days Between Password Changes `bash sudo passwd -n 7 username ` This prevents the user from changing their password for 7 days after the last change.

#### Set Maximum Password Age `bash sudo passwd -x 90 username ` This forces the user to change their password every 90 days.

#### Set Warning Period `bash sudo passwd -w 14 username ` This warns the user 14 days before password expiration.

#### Set Inactive Period `bash sudo passwd -i 30 username ` This disables the account 30 days after password expiration.

Account Status Information

#### Display Password Status `bash sudo passwd -S username ` Example output: `bash sudo passwd -S john john PS 2023-10-15 7 90 14 30 (Password set, SHA512 crypt.) `

Status field meanings: - PS: Password set - LK: Password locked - NP: No password - L: Account locked

Password Policy and Security

Password Complexity Requirements

Most modern Linux distributions enforce password complexity through PAM (Pluggable Authentication Modules). Common requirements include:

| Requirement | Description | |-------------|-------------| | Minimum Length | Usually 8-12 characters minimum | | Character Classes | Mix of uppercase, lowercase, numbers, symbols | | Dictionary Check | Prevents common dictionary words | | History Check | Prevents reusing recent passwords | | Username Check | Prevents using username in password |

Configuration Files

#### /etc/login.defs Contains default password aging settings:

`bash

Password aging controls

PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_WARN_AGE 7 `

#### /etc/pam.d/passwd PAM configuration for password changes:

`bash

PAM configuration for passwd

auth include system-auth account include system-auth password include system-auth `

#### /etc/security/pwquality.conf Password quality requirements:

`bash

Configuration for systemwide password quality limits

minlen = 8 minclass = 2 maxrepeat = 3 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 `

Interactive Password Change Process

Step-by-Step Process

1. Command Execution `bash passwd `

2. Current Password Verification ` Changing password for user john. Current password: [enter current password] `

3. New Password Entry ` New password: [enter new password] `

4. Password Confirmation ` Retype new password: [confirm new password] `

5. Success Confirmation ` passwd: password updated successfully `

Error Scenarios

#### Incorrect Current Password `bash passwd Changing password for user john. Current password: passwd: Authentication token manipulation error `

#### Password Too Simple `bash passwd Changing password for user john. Current password: New password: BAD PASSWORD: The password is too simple New password: `

#### Password Mismatch `bash passwd Changing password for user john. Current password: New password: Retype new password: Sorry, passwords do not match. New password: `

Advanced Usage Scenarios

Batch Password Operations

#### Script for Multiple Users `bash #!/bin/bash

Change passwords for multiple users

users=("alice" "bob" "charlie") for user in "${users[@]}"; do echo "Changing password for $user" passwd "$user" done `

#### Automated Password Generation `bash #!/bin/bash

Generate random password and set for user

username="$1" password=$(openssl rand -base64 12) echo "$username:$password" | chpasswd echo "Password for $username: $password" `

Integration with System Administration

#### Password Expiry Management `bash

Set comprehensive password policy for user

sudo passwd -n 1 -x 90 -w 7 -i 14 username `

#### Account Maintenance Script `bash #!/bin/bash

Account maintenance script

username="$1"

Display current status

echo "Current status for $username:" passwd -S "$username"

Set password expiry

passwd -e "$username" echo "Password expiry set for $username"

Set aging parameters

passwd -n 7 -x 60 -w 7 "$username" echo "Password aging configured" `

Security Considerations

Best Practices

| Practice | Description | Implementation | |----------|-------------|----------------| | Strong Passwords | Enforce complex password requirements | Configure PAM modules | | Regular Changes | Implement password aging policies | Use -x and -n options | | Account Locking | Lock unused or compromised accounts | Use -l option | | Password History | Prevent password reuse | Configure PAM remember module | | Monitoring | Log password changes | Monitor system logs |

Security Features

#### Password Hashing Modern systems use strong hashing algorithms: - SHA-256 - SHA-512 - bcrypt - scrypt

#### Salt Usage Passwords are salted to prevent rainbow table attacks: `bash

Example from /etc/shadow

user:$6$randomsalt$hashedpassword:18000:0:99999:7::: `

#### Audit Trail Password changes are logged in system logs: `bash

Check password change logs

sudo grep passwd /var/log/auth.log sudo journalctl | grep passwd `

Troubleshooting Common Issues

Permission Denied Errors

#### Problem `bash passwd: Permission denied `

#### Solution Ensure proper permissions and run with appropriate privileges: `bash

Check passwd permissions

ls -l /usr/bin/passwd

Should show setuid bit

-rwsr-xr-x 1 root root 68208 passwd `

PAM Authentication Failures

#### Problem `bash passwd: Authentication token manipulation error `

#### Solutions 1. Check PAM configuration: `bash sudo cat /etc/pam.d/passwd `

2. Verify system authentication: `bash sudo cat /etc/pam.d/system-auth `

3. Check for locked files: `bash sudo lsof /etc/shadow sudo lsof /etc/passwd `

Password Policy Violations

#### Problem Password rejected due to policy violations

#### Solutions 1. Check password quality settings: `bash sudo cat /etc/security/pwquality.conf `

2. Review login definitions: `bash sudo cat /etc/login.defs `

3. Test password strength: `bash pwscore <<< "testpassword" `

System Integration and Automation

Scripting Examples

#### Password Expiry Report `bash #!/bin/bash

Generate password expiry report

echo "Password Expiry Report" echo "=====================" while IFS=: read -r username x uid gid comment home shell; do if [ "$uid" -ge 1000 ] && [ "$uid" -lt 65534 ]; then status=$(passwd -S "$username" 2>/dev/null) echo "$username: $status" fi done < /etc/passwd `

#### Bulk Password Reset `bash #!/bin/bash

Bulk password reset with random passwords

users_file="$1" while read -r username; do if id "$username" &>/dev/null; then new_password=$(openssl rand -base64 12) echo "$username:$new_password" | chpasswd passwd -e "$username" echo "$username,$new_password" >> password_reset_log.csv fi done < "$users_file" `

System Monitoring

#### Password Change Monitoring `bash #!/bin/bash

Monitor password changes

tail -f /var/log/auth.log | grep --line-buffered passwd | while read line; do echo "$(date): $line" # Send notification or log to external system done `

Related Commands and Tools

Complementary Commands

| Command | Purpose | Example | |---------|---------|---------| | chage | Change user password expiry information | chage -l username | | usermod | Modify user account | usermod -e 2024-12-31 username | | chpasswd | Update passwords in batch | chpasswd < passwords.txt | | pwgen | Generate passwords | pwgen -s 12 1 | | getent | Get entries from databases | getent shadow username |

Password Management Tools

#### System Tools `bash

Check password aging

chage -l username

Modify user account

usermod -L username # Lock account usermod -U username # Unlock account

Batch password changes

echo "user1:newpass1" | chpasswd echo "user2:newpass2" | chpasswd `

#### Security Auditing `bash

Check for accounts without passwords

sudo awk -F: '($2 == "") {print $1}' /etc/shadow

List locked accounts

sudo passwd -S -a | grep LK

Check password aging for all users

sudo chage -l username `

File System Integration

Important Files

| File | Purpose | Permissions | |------|---------|-------------| | /etc/passwd | User account information | 644 | | /etc/shadow | Encrypted passwords and aging info | 640 | | /etc/group | Group information | 644 | | /etc/gshadow | Group password information | 640 | | /etc/login.defs | Default password aging settings | 644 |

Backup Considerations

#### Shadow File Backup `bash

Create backup before password changes

sudo cp /etc/shadow /etc/shadow.backup.$(date +%Y%m%d) sudo cp /etc/passwd /etc/passwd.backup.$(date +%Y%m%d) `

#### Verification `bash

Verify shadow file integrity

sudo pwck sudo grpck `

The passwd command is an essential tool for system security and user management. Understanding its various options, security implications, and integration with system policies is crucial for effective system administration. Regular password maintenance, proper policy enforcement, and security monitoring help maintain a secure computing environment.

Tags

  • Linux
  • Unix
  • passwd
  • system-administration
  • user-management

Related Articles

Popular Technical Articles & Tutorials

Explore our comprehensive collection of technical articles, programming tutorials, and IT guides written by industry experts:

Browse all 8+ technical articles | Read our IT blog

Complete Guide to passwd Command: Change User Passwords