Change User Passwords In Linux
The short answer
In Linux, to change the password of user, you can use the passwd command as follows:
$ sudo passwd <username>After running the command, you'll be prompted to enter the new password twice for confirmation. Note that when typing the password, no characters will be displayed on the screen for security reasons.
Also note that this command requires superuser privileges to run (i.e.sudo) as it manipulates the /etc/passwd and /etc/shadowsystem authentication files.
For example, the following command will change the password of the johndoe user account:
$ sudo passwd johndoe
New password:
Retype new password:
passwd: password updated successfullyChanging the password of multiple users
To change the password of multiple users at once, you can use the chpasswd command that reads username-password pairs from the standard input:
$ sudo chpasswdWhere the username and the password are separated by a colon character:
username:passwordOnce you've entered your user account list, you can press CTRL + D to send an EOF (End of File) signal and execute the command.
Note that, by default, the supplied passwords must be written in clear-text as they will be automatically encrypted by the chpasswd command.
For example, the following command will change the passwords of both the alice and bob user accounts:
$ sudo chpasswd
alice:helloworld
bob:hallowelt
^DReading username-password pairs from a file
Since the chpasswd reads directly from the standard input, you can create a list of username-password pairs into a regular file:
username1:password1
username2:password2And feed this file to the chpasswd command using the input redirection operator as follows:
sudo chpasswd <passwords.txtNote that in order to restrict access and prevent unauthorized users from reading or modifying this file, you can change its permissions to only allow the owner to perform these action using the chmod command as follows:
$ chmod 600 passwords.txtYou can learn more about the chmod command by reading our other article on how to change file permissions in Linux.
Changing a password’s expiration date
In Linux, setting a password expiration date helps enhance the security of user accounts by mitigating the risk of long-term password compromise.
To change the expiration date of a password and force the user to change it past that date, you can use the chage command with the -E flag (short for --expiredate ) as follows:
$ sudo chage -E <date> <username>Where:
- date is a date in the YYYY-MM-DD format.
This implies that after this date, the user will not be able to log in without resetting their password.
For example, the following command will set the expiration date of the johndoe user account password to June 3rd, 2024:
$ sudo chage -E 2024-06-03 johndoeExpiring a password immediately
To immediately expire a password and force a user to change their password upon next login, you can use the passwd command with the -e flag (short for --expire ) as follows:
$ sudo passwd -e <username>Locking user accounts with expired passwords
To automatically lock user accounts with expired passwords that haven't been used in a certain period of time, you can use the chage command with the -I flag (short for --inactive ) as follows:
$ sudo chage -I <days> <username>Note that setting the number of days to -1 will remove the account's inactivity.
For example, the following command will allow the johndoe user account to be inactive for 30 days after its password has expired before being automatically locked:
$ sudo chage -I 30 johndoeEnforcing a periodic password change
To set the maximum number of days during which a password is valid, you can use the chage command with the -M flag (short for --maxdays ) as follows:
$ sudo chage -M <days> <username>Note that setting the maximum amount of days to 0 will force the user to change their password every single time they log in, and setting it to -1 will remove the password's validity check, which means that a user will be able to keep the same password indefinitely.
For example, the following command will force the johndoe user to change their password every 10 days:
$ sudo chage -M 10 johndoeDefining a minimum period between password changes
To define the minimum number of days between two password changes, you can use the chage command with the -m flag (short for --mindays) as follows:
$ sudo chage -m <days> <username>Note that setting the amount of days to 0 will allow users to change their password at any time.
For example, the following command will only allow the johndoe user to change their password every 10 days:
$ sudo chage -m 10 johndoeGenerating random passwords
In general, randomly generated passwords are usually harder to guess and more resistant to brute-force or dictionary attacks compared to passwords created by humans.
Here are two methods you can use to generate random password.
Generating simple passwords using openssl
To generate a random password, you can use the openssl rand command with the -base64 flag to generate a Base64-encoded string as follows:
$ openssl rand -base64 <length>Where:
- length is the length of the password string in bytes.
For example, the following command will generate a random Base64-encoded password of 10 characters:
$ openssl rand -base64 10
wjPuE3+Cp7s/VnGenerating complex passwords using the urandom file
On Unix-like operating systems, the /dev/urandom file is used to generate a pseudo-random stream of bytes using the kernel's random number generator.
To generate complex password that include both alphanumeric characters and punctuation characters like ! , - or @ , you can combine the tr and head commands as follow:
$ LC_ALL=C tr -dc '[:alnum:][:punct:]' < /dev/urandom | head -c <length > ; echoWhere:
- LC\_ALL=C is an environment variable used to prevent any potential issues with character interpretations.
- tr -dc is used to process an input stream and delete the characters that don't match the specified character classes.
- ':alnum:]:punct:]' is used to specify the character classes used by the tr command, where :alnum:] represents alphanumeric characters and :punct:] represents punctuation characters.
- head -c is used to limit the output of the tr command to a specific length.
- echo is used to print a new line.
For example, the following command will generate a pseudorandom password of 10 characters:
bash $ LC_ALL=C tr -dc '[:alnum:][:punct:]' > /dev/urandom | head -c 10 ; echo
p\0i}BIxQxRelated articles
Bash Comments
Comments will help make your scripts more readable
Reading User Input
Via command line arguments and prompting users for input
Curl Post Request
Use cURL to send data to a server
Upload Files With curl
Learn how to upload a file to FTP, SFTP servers, Artifactory, and AWS S3 using the curl command.
How To Copy A Directory In Linux
Learn how to copy directories and their content in Linux using the cp command with options like -r for recursive copying, -i for interactive mode, and -a for preserving attributes.
Create Groups In Linux
Learn how to manually and automatically create and list groups in Linux.
How to Check the Size of Folders in Linux
Learn how to output the size of directories and subdirectories in a human-readable format in Linux and macOS using the du command.
Count Files in Linux
Learn how to count files and folders contained in directories and subdirectories in Linux using the ls, find, and wc commands.
List Open Ports in Linux
Learn how to output the list of open TCP and UDP ports in Linux, as well as their IP addresses and ports using the netstat command.
Format Command Output In Linux
Learn how to filter and format the content of files and the output of commands in Linux using the awk command.
Create Directories Recursively With mkdir
Learn how to recursively create nested directories using the mkdir command, Bash scripts, and Python scripts.
Remover Users in Linux
Learn how to remove local and remote user accounts and associated groups and files in Linux using the userdel and deluser commands.
