Change User Passwords In Linux
The short answer
In Linux, to change the password of user, you can use the [.inline-code] passwd [.inline-code] command as follows:
After running the command, you'll be prompted to enter the new password twice for confirmation. Note that when typing the password, no characters will be displayed on the screen for security reasons.
Also note that this command requires superuser privileges to run (i.e.[.inline-code]sudo[.inline-code]) as it manipulates the [.inline-code]/etc/passwd[.inline-code] and [.inline-code] /etc/shadow[.inline-code]system authentication files.
For example, the following command will change the password of the [.inline-code]johndoe[.inline-code] user account:
[#change-multiple-passwords] Changing the password of multiple users [#change-multiple-passwords]
To change the password of multiple users at once, you can use the [.inline-code] chpasswd[.inline-code] command that reads username-password pairs from the standard input:
Where the username and the password are separated by a colon character:
Once you've entered your user account list, you can press [.inline-code] CTRL + D[.inline-code] to send an EOF (End of File) signal and execute the command.
Note that, by default, the supplied passwords must be written in clear-text as they will be automatically encrypted by the [.inline-code] chpasswd[.inline-code] command.
For example, the following command will change the passwords of both the [.inline-code] alice[.inline-code] and [.inline-code] bob[.inline-code] user accounts:
[#change-passwords-from-a-file] Reading username-password pairs from a file [#change-passwords-from-a-file]
Since the [.inline-code] chpasswd[.inline-code] reads directly from the standard input, you can create a list of username-password pairs into a regular file:
And feed this file to the [.inline-code]chpasswd[.inline-code] command using the input redirection operator as follows:
Note that in order to restrict access and prevent unauthorized users from reading or modifying this file, you can change its permissions to only allow the owner to perform these action using the chmod command as follows:
You can learn more about the [.inline-code]chmod[.inline-code] command by reading our other article on how to change file permissions in Linux.
[#change-passwords-expiration-date] Changing a password’s expiration date [#change-passwords-expiration-date]
In Linux, setting a password expiration date helps enhance the security of user accounts by mitigating the risk of long-term password compromise.
To change the expiration date of a password and force the user to change it past that date, you can use the [.inline-code] chage[.inline-code] command with the [.inline-code] -E[.inline-code] flag (short for [.inline-code] --expiredate[.inline-code] ) as follows:
Where:
- [.inline-code] date[.inline-code] is a date in the [.inline-code] YYYY-MM-DD[.inline-code] format.
This implies that after this date, the user will not be able to log in without resetting their password.
For example, the following command will set the expiration date of the [.inline-code] johndoe[.inline-code] user account password to June 3rd, 2024:
[#expire-password-immediately] Expiring a password immediately [#expire-password-immediately]
To immediately expire a password and force a user to change their password upon next login, you can use the [.inline-code] passwd[.inline-code] command with the [.inline-code] -e[.inline-code] flag (short for [.inline-code] --expire[.inline-code] ) as follows:
[#lock-accounts-with-expired-passwords] Locking user accounts with expired passwords[#lock-accounts-with-expired-passwords]
To automatically lock user accounts with expired passwords that haven't been used in a certain period of time, you can use the [.inline-code] chage[.inline-code] command with the [.inline-code] -I[.inline-code] flag (short for [.inline-code] --inactive[.inline-code] ) as follows:
Note that setting the number of days to [.inline-code] -1[.inline-code] will remove the account's inactivity.
For example, the following command will allow the [.inline-code] johndoe[.inline-code] user account to be inactive for 30 days after its password has expired before being automatically locked:
[#enforce-periodic-password-changes] Enforcing a periodic password change [#enforce-periodic-password-changes]
To set the maximum number of days during which a password is valid, you can use the [.inline-code] chage[.inline-code] command with the [.inline-code] -M[.inline-code] flag (short for [.inline-code] --maxdays[.inline-code] ) as follows:
Note that setting the maximum amount of days to [.inline-code] 0[.inline-code] will force the user to change their password every single time they log in, and setting it to [.inline-code] -1[.inline-code] will remove the password's validity check, which means that a user will be able to keep the same password indefinitely.
For example, the following command will force the [.inline-code] johndoe[.inline-code] user to change their password every 10 days:
[#set-a-delay-between-password-changes] Defining a minimum period between password changes [#set-a-delay-between-password-changes]
To define the minimum number of days between two password changes, you can use the [.inline-code] chage [.inline-code] command with the [.inline-code] -m[.inline-code] flag (short for [.inline-code]--mindays[.inline-code]) as follows:
Note that setting the amount of days to [.inline-code] 0[.inline-code] will allow users to change their password at any time.
For example, the following command will only allow the [.inline-code] johndoe[.inline-code] user to change their password every 10 days:
[#generate-random-passwords] Generating random passwords [#generate-random-passwords]
In general, randomly generated passwords are usually harder to guess and more resistant to brute-force or dictionary attacks compared to passwords created by humans.
Here are two methods you can use to generate random password.
[#generate-simple-passwords-with-openssl] Generating simple passwords using [.inline-code]openssl[.inline-code] [#generate-simple-passwords-with-openssl]
To generate a random password, you can use the [.inline-code] openssl rand[.inline-code] command with the [.inline-code] -base64[.inline-code] flag to generate a Base64-encoded string as follows:
Where:
- [.inline-code] length[.inline-code] is the length of the password string in bytes.
For example, the following command will generate a random Base64-encoded password of 10 characters:
[#generate-complex-passwords-with-urandom] Generating complex passwords using the [.inline-code] urandom[.inline-code] file [#generate-complex-passwords-with-urandom]
On Unix-like operating systems, the [.inline-code] /dev/urandom[.inline-code] file is used to generate a pseudo-random stream of bytes using the kernel's random number generator.
To generate complex password that include both alphanumeric characters and punctuation characters like [.inline-code] ![.inline-code] , [.inline-code] -[.inline-code] or [.inline-code] @[.inline-code] , you can combine the [.inline-code] tr[.inline-code] and [.inline-code] head[.inline-code] commands as follow:
Where:
- [.inline-code] LC_ALL=C[.inline-code] is an environment variable used to prevent any potential issues with character interpretations.
- [.inline-code] tr -dc[.inline-code] is used to process an input stream and delete the characters that don't match the specified character classes.
- [.inline-code] '[:alnum:][:punct:]'[.inline-code] is used to specify the character classes used by the [.inline-code] tr[.inline-code] command, where [.inline-code] [:alnum:][.inline-code] represents alphanumeric characters and [.inline-code] [:punct:][.inline-code] represents punctuation characters.
- [.inline-code] head -c[.inline-code] is used to limit the output of the [.inline-code] tr[.inline-code] command to a specific length.
- [.inline-code] echo[.inline-code] is used to print a new line.
For example, the following command will generate a pseudorandom password of 10 characters:
Written by
