Managing user credentials is a fundamental task for any Linux system administrator. Whether you’re maintaining a single server or a cluster of production machines, knowing how to efficiently change user passwords is critical for maintaining security and access control. This comprehensive tutorial covers what you need to know about changing user passwords on Linux systems, including practical usage of the passwd and chage commands with real-world context. We’ll also discuss best practices, security considerations, and common administration scenarios that ensure password management is both effective and secure across Debian, Ubuntu, CentOS, RHEL, and other Linux distributions.
How to Change User Passwords in Linux: Core Commands and Use Cases
The passwd command is the cornerstone for altering user passwords on Linux. By default, a regular user can change only their own password, while root or users with sudo privileges can modify passwords for any user. Passwords are securely stored and encrypted in the /etc/shadow file which is only accessible by system administrators. This protects sensitive data even in multi-user environments.
Changing your own password is a simple yet fundamental step to maintaining personal account security. This usually happens after initial setup, or when you suspect your credentials might have been compromised. Here’s how you do it:
passwd Changing password for username. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
This command prompts the user for the current password first, then asks twice for the new password to avoid typos. Password input is hidden for security. In production environments, it’s common to enforce strong passwords that include a mix of uppercase, lowercase, numbers, and special characters to prevent brute force attacks.
When managing multiple users or resetting credentials for someone else (like in user support scenarios), you need elevated privileges. System administrators and DevOps engineers often run:
sudo passwd username Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Here, the root or sudo user does not need to enter the current password — only the new password twice. This is essential when users forget their passwords or when setting passwords during onboarding new accounts. Always ensure you transfer the new passwords securely to the user and encourage immediate password changes where feasible.
Modifying the root user’s password is a highly sensitive operation. Often, admins do this after initial system setup or for emergency recovery. On many distributions like Ubuntu, the root account is locked by default and requires setting a password explicitly for local root login:
sudo passwd root Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
Note that enabling root login may have implications for SSH access. A best practice is to continue using sudo for administrative tasks remotely and only enable direct root login when absolutely necessary.
Advanced Password Management: Forcing Changes, Aging Policies, and Account Locking
In real production setups, password management often involves enforcing policies to maintain security hygiene. One common requirement is to force users to change their password at the next login — this is typical after administrator resets or periodic security audits:
sudo passwd --expire username passwd: password expiry information changed.
This command marks the password as expired. The user will be immediately prompted to create a new password upon next login, ensuring credentials stay fresh.
An alternative, but equivalent, method involves the chage command which handles password aging attributes:
sudo chage -d 0 username
This sets the last password change date to “epoch zero,” forcing an immediate change.
Understanding how to inspect and modify password aging policies can save administrators from recurring manual resets. Using chage -l allows you to review password expiry date, inactivity period, and warnings:
sudo chage -l username Last password change : Jun 10, 2024 Password expires : Sep 08, 2024 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Typical password policies might enforce a maximum age of 90 days, minimum age of 7 days (to prevent rapid cycling), and a warning period of 7-14 days to alert users prior to expiration:
sudo chage -M 90 username sudo chage -m 7 username sudo chage -W 14 username
Setting an account expiration date can also be done with:
sudo chage -E 2024-12-31 username
This expiry is useful for temporary accounts or contractors who should lose access automatically after a fixed date, improving administrative control and compliance.
Locking and unlocking accounts are often necessary when a user leaves the company or when suspicious activity is detected. Locking disables password login by prepending a ‘!’ character in the encrypted password entry in /etc/shadow:
sudo passwd -l username passwd: password expiry information changed.
Unlocking the account is done with:
sudo passwd -u username
Checking lock status is straightforward:
sudo passwd -S username username L 06/10/2024 0 90 7 -1
Here, ‘L’ indicates locked, while ‘P’ means the password is usable. One practical tip is to know that passwd -l does NOT disable SSH key authentication, so for full lockout, combine it with shell disabling like:
sudo usermod -s /usr/sbin/nologin username
Best Practices for Managing Passwords in Production Linux Systems
Here are a few tips drawn from over a decade of Linux administration:
- Always enforce strong, unique passwords. Use password complexity policies via PAM modules (like
pam_pwquality) to prevent weak passwords. - Make use of password expiration policies. Automate password aging to force users to update credentials periodically — an invaluable defense against leaked credentials.
- Use sudo instead of root login over SSH. Keep root account locked unless absolutely necessary for security auditing.
- Maintain an audit trail of password changes. Regularly check logs to catch unauthorized changes early.
- When removing passwords (setting empty), understand risks. Empty passwords allow passwordless logins, appropriate only in controlled, isolated environments like development or containers.
- Leverage automation for bulk password updates. Use scripting with commands like
chpasswdin staging or cloud environments for efficiency.
Troubleshooting Scenario: Resolving a Locked-Out User Account
A frequent issue I encountered involved a user who locked themselves out after multiple failed password attempts and could no longer access critical services. Initial investigation revealed the account was locked due to policy with passwd -l. The user also used SSH key authentication, which still worked but the application required password authentication.
The fix was straightforward:
sudo passwd -u username passwd: password expiry information changed.
This unlocked the account, allowing password usage again. Additionally, forcing a password reset at next login ensured the user selected a secure new password:
sudo passwd --expire username
To avoid this in future, implement pam_tally2 or faillock modules to auto-unlock after a timeout period and communicate clear password expiration warnings to users.
Conclusion
Mastering how to change user passwords in Linux is a cornerstone of secure system administration. The passwd command allows both regular users and administrators to manage credentials effectively, while chage offers deep control over password aging and expiration policies. Understanding when and how to lock accounts or enforce password changes helps maintain a secure environment, especially in production settings where access control is critical. Combining these tools with best practices ensures Linux servers and user accounts remain protected against unauthorized access and potential security risks.
