Password is a critical aspect of Linux security and you need to periodically change your password to ensure the complete safety of your system. This may not come naturally to most of the users and thus the system administrator needs to enforce password change. Linux provides the chage, also known as change age, a command-line utility to check, set, and update the password expiration date.
In this tutorial, we will learn about chage command in Linux to update user password expiry information.
- Access to Linux terminal.
- Root user or sudo privileges to run the commands.
- Some familiarity with the Linux command-line interface.
The chage command displays and updates the user password expiry information. You can specify the number of days after which the user account password expires. This command helps the system administrator to audit the user accounts.
The chage command can enforce users to periodically update the user password to ensure absolute system safety. You can use this command to set an account expiration date on the user accounts that are required only for a limited time.
The syntax of the chage command-line utility is:
chage [options] username
How to Use Chage Command
You can use the chage command with various options to manage password expiration and aging. For example, the chage command can be used to display the account aging information of a user. It can also be used to disable password expiration for a user.
Use the chage command followed the
--list option and a user name to display password aging information about a particular user:
chage -l tom
The date needs to be in YYYY-MM-DD format for all the chage command options that accept a date as an input.
The default values for password aging information can be found in
/etc/login.defs file. You can change the controls such as PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN, and PASS_WARN_AGE.
Chage Command Examples
The chage command can be used to set various account aging options. The following examples show you how to set password expiry, account expiry, and other options.
Update Last Password Change Date
When a user changes his/her password, the last password change date changes. You can manually update this date using the
To set the last password change date to 31 December 2022 for a user named tom:
sudo chage -d 2022-12-31 tom
You can set the password to expire immediately and the next login user will be forced to change the password by using the value 0 instead of date.
sudo chage -d 0 tom
Set Password Expiry Date
Unless specified while creating a user account, the account count expiry date is set to never by default.
You can configure when a particular user account will expire. This ensures that the user account (could be a temporary account) will expire on the specified date and the account will be unusable. To set or change the account expiration date use
sudo chage -E 2025-12-31 tom
You can revert back the account expiration date to never by using the value -1 with -E option.
sudo chage -E -1 tom
Set Password Expiry Date Warning
Once you set the password expiry option, the expiry date is updated in the system. As per the “Number of days of warning before password expires” setting, users will get a warning that their password is going to expire on the set date.
You can also change the number of warning days for a particular user:
sudo chage -W 10 tom
Here the user tom gets a warning message to change his password 10 days before his password expires.
Change Minimum Number of Days
To set a minimum number of days between the password changes, use the
For example, to set a user to wait for 5 days to change his password again, type:
sudo chage -m 5 tom
The value of zero (0) indicates that the user may change password any time.
Maximum days password Valid
-M option allows you to set a maximum number of days in which the user is allowed to use the password.
To set a maximum of 20 days during which a password is valid, type:
sudo chage -M 20 tom
The value -1 for MAX_DAYS will remove checking a password validity.
Set Account Inactivity Period
Use the chage
-I command to specify the total number of days in which the account password will be inactive if the expired is not changed. This option is helpful to keep the account inactive if the user does not log in to the account after the password expired and thereafter the account gets locked.
sudo chage -I 10 tom
Use value -1 to set password inactive days to never.
You can use usermod command to lock and unlock an account.
Disable Account Aging
Now, if you decide the keep any account active forever, you can also use the chage command to disable password and account expiry for a user:
sudo chage -I -1 -m 0 -M 99999 -E -1 tom
In this example:
-I -1sets password inactive to never.
-m 0sets the minimum number of days between password change to 0 (zero).
-M 99999sets the maximum number of days between password change to 99999.
-E -1sets account expiry to never.
Chage Command Options
The chage command provides the following options to perform different account password expiry and audit-related operations:
|Sets when the password was last changed. It can be either in a date format YYYY-MM-DD or the number of days since January 1st, 1970.|
|Sets when the password will expire, either in date format or number of days since January 1st, 1970.|
|Sets the number of days during which the password will be inactive. After the set number of days, the account will be locked. The -I -1 option will disable account inactivity.|
|Displays currently set aging information for the given user.|
|Sets the minimum number of days that must pass between two password changes. If you set it to 0 (zero), then the password can be changed at any time.|
|Sets the maximum validity period of a password in the number of days.|
|Sets the warning period in the number of days. During this period, a user will be sent warnings that their password is going to expire after the set number of days.|
In this tutorial, we learned how to use the chage command and manage password expiry information. These commands will work on most of the commonly used Linux distributions, such as Ubuntu, Debian, Red Hat, Fedora, and CentOS.