Security is one of the many bragged features about Linux and it can be justified by the way it manages and authenticates its users. Authentication of users is done in Linux through passwords and public keys.
Linux distributions allow to set administrative accounts during the OS installation and this can be changed later if you have the required privilege. Generally, there is no default password set for any user accounts in Linux. When new users are created using the useradd, the account doesn't have a password; in order to login, the password has to be created separately.
In this tutorial, we’ll be learning about passwd command in Linux to change passwords in Linux.
Prerequisites
- Any Linux system
- Basic knowledge of Linux command line
- An existing user account
- Required privilege to run the command
Passwd Command
passwd is a command that changes user account passwords in the Linux system. A regular user has the privilege to only change the password for their individual account while a superuser (root) exercises the privilege to change passwords for any account in the system.
Syntax:
passwd [option] [user]The passwd command changes the user's password by modifying the passwords that are stored as encrypted strings in the /etc/shadow file. It can also be used to change the validity periods and other related settings for passwords associated with the account.
After entering the passwd command in the terminal, users first need to enter their current password for verification. Superusers are exempt from this step when changing the passwords for other accounts, especially necessary to reset the forgotten passwords for user accounts.
After verifying the current password, passwd makes sure if the current user has the privilege to alter the password.
Only if the current user has the privilege, s/he is prompted for a new password. It checks the complexity of the set user passwords in the next step. If the password passes the complexity test, passwd prompts for retyping the new password. If the two passwords match, a new password is set for the user.
The configuration files passwd uses are:
/etc/passwd- stores the user account information/etc/shadow- stores secure user account information/etc/pam.d/passwd- stores PAM configuration for passwd
Passwd command Options
| Option | Description |
-a, --all | Display password status of every account in the system |
-d, --delete | Remove user password |
-e, --expire | Expire user's password immediately |
-h, --help | Show this help information |
-k, --keep-tokens | Change password only in case of expired authentication tokens |
-i, --inactive INACTIVE | Deactivate the password after INACTIVE number of days following the password expiry |
-l, --lock | Lock the password for the account specified |
-n, --mindays MIN_DAYS | Set the minimum number of days between password changes to MIN_DAYS |
-q, --quiet | Enable quiet mode |
-r, --repository REPOSITORY | Change password in REPOSITORY repository |
-R, --root CHROOT_DIR | Specify directory to chroot into |
-S, --status | Display account status information |
-u, --unlock | Unlock the password of the named account |
-w, --warndays WARN_DAYS | Set the number of days before the required password change the user will be warned to WARN_DAYS |
-x, --maxdays MAX_DAYS | Set the maximum number of days the password remains valid for a user to MAX_DAYS |
Passwd Command Examples
Now, we’ll be seeing the passwd commands in action with the following examples.
Change User Password
Type passwd command without any option can change your own password.
Example:
$ passwd
To change other users’ passwords, we can prefix the passwd with sudo (i.e. sudo passwd) provided that the current user is configured to access the superuser privileges. With sudo, we can even change the root password along with the passwords for other normal user accounts.
To change the root password, type:
sudo passwd root
Immediate password expiry
To expire a user account's password immediately, we can use the -e option.
In the following example, we will expire the user named werewolf password immediately:
$ sudo passwd -e werewolf
As we can see, we are provided with the message that the password expiry information changed.
This will prompt the users to change their password the next time they login. Now, if we login as werewolf, we will be prompted for a new password.
$ su werewolf
Check password status for user
Use the -S option to check the status of the password for a user.
Here we check the password status of the user named linuxopsys:
Understanding password status output:
- The user
linuxopsyshas a usable password (P) that is set to expire on02/08/2022. - The user has to wait minimum
0days between password changes i.e. can change password without any set interval. - The user has to change his password every
99999days. - User will be warned
7days before a required password change. - The number of days after which the user’s account will be disabled following the password expiry is set to
-1i.e. user account won't be disabled after the password expiry.
The password status seven columns are described in the following table.
| Column | Description |
|---|---|
| 1 | User name |
| 2 | State of the password i.e. if the user has a locked password (L), no password (NP), or a usable password (P) |
| 3 | Expiry date of the password |
| 4 | User cannot change the password more often than every specified number of days |
| 5 | Associated password validity period for the user account |
| 6 | Number of days user will be warned before a required password change |
| 7 | Number of days after which the user’s account will be disabled following the password expiry |
We can also display the information about the status of passwords for all the users using the -a option along with the -S option.
$ sudo passwd -Sa
Delete user password
The -d option can be used to delete a user's password. It will make the named account passwordless.
In the following example, we delete the password for the user named werewolf:
$ sudo passwd -d werewolf
The console gives a confirmation message that password expiry information changed for the user werewolf.
Now, switch to user werewolf without any password.
Set inactive days after the password expiry
Use -i option to set the number of inactive days following the password expiring after which the account will be deactivated.
In the following example, we set the number of inactive days as 7 for the user werewolf. It means that the user account werewolf will be deactivated after it has had an expired password for 7 days.
$ sudo passwd -i 7 werewolf
You can verify by typing:
$ sudo passwd -S werewolf
Set minimum days to change the password
Use -n option, to set a minimum number of days between password changes so that the user will be unable to change the password for the specified number of days.
In the following example, we set the minimum number of days between which the user werewolf is able to change his password to 1.
$ sudo passwd -n 1 werewolf
Set warning period before password expiry
Use the -w option to set the number of days before the password expires the user will be warned about the expiring password.
To set the warning period to 5 days for the user named werewolf, type:
$ sudo passwd -w 5 werewolf
The number of warning days has changed to 5 in the password status:
Set maximum days password remains valid
Use -x option to set the maximum days of password validity for a user. After the specified validity period is over, the users are forced to change their password.
For example, to set the password validity period for the user werewolf to 7 day, type:
$ sudo passwd -x 7 werewolf
Confirm by checking:
Lock a user account
Use passwd command with -l option to lock the user account. You will need to use sudo before the command or be a root user to perform this action.
For example, to lock the user named werewolf, type:
$ sudo passwd -l werewolf
The user will not be able to log in until the system administrator unlocks his password again.
You can confirm the user is locked by checking the password status, the L in the second column indicates the user account is locked.
Once the user is locked, if you try to login with that user you get an authentication failure alert.
Unlock a user account
We can unlock the locked account with the -u option. For example to unlock the user werewolf run the following command:
sudo passwd -u werewolf 
The second column changed to P in the password status to confirm the user account is unlocked.
Enable quiet mode
Using the -q option enables the quiet mode which suppresses the messages such as ‘Changing password for $USER’ and some error messages.
Example:
$ passwd -q
Change Password in Bash
You can change a user account password in bash by using echo command pipe with passwd command.
Example:
echo -e "newpassword" | passwd usernameConclusion
In this tutorial, we became familiar with the passwd command which is used to change passwords. We have also covered some of the useful passwd command options with practical examples.
Comments