Administration – Managing Passwords

Adding or changing a password is usually done quite simply with the passwd command. However, there are additional options available with passwd that let an administrator manage such things as user account locking, password expiration, and warnings to change passwords. Besides passwd, there are commands such as chage, chfn, and vipw, for working with user passwords. Regular users can change only their own passwords, whereas the root user can change the password for any user. For example:

Change a regular user’s own password
$ passwd
Changing password for user marvin.
Changing password for marvin.
(current) UNIX password: ********
New UNIX password: *
BAD PASSWORD: it’s WAY too short
New UNIX password: *********
Retype new UNIX password: *********
passwd: password updated successfully

Root can change any user’s password
$ sudo passwd marvin
Changing password for user marvin.
New UNIX password: *
Retype new UNIX password: *
passwd: password updated successfully

In the first example, a regular user (marvin) changes his own password. Even while logged in, the user must type the current password before entering a new one. Also, passwd keeps a regular user from setting a password that is too short, based on a dictionary word, doesn’t have enough different characters, or is otherwise easy to guess.
The root user, in the second example, can change any user password without the old password.

Passwords should be at least eight characters, be a combination of letters and other characters (numbers, punctuation, and so on), and not include real words. Make passwords easy to remember but hard to guess. A system administrator can use passwd to lock and unlock user accounts. For example:

Lock the user account (marvin)
$ sudo passwd -l marvin
Locking password for user marvin.
passwd: Success

Unlock a locked user account (marvin)
$ sudo passwd -u marvin
Unlocking password for user marvin.
passwd: Success

Fails to unlock account with blank password
$ sudo passwd -u marvin
Unlocking password for user marvin.
passwd: Warning: unlocked password would be empty.
passwd: Unsafe operation (use -f to force)
Locking a user account with passwd causes an exclamation mark (!) to be placed at the front of the password field in the /etc/shadow file (where user passwords are stored). When a user account is unlocked, the exclamation mark is removed and the user’s previous password is restored.

An administrator can use the passwd command to require users to change passwords regularly, as well as warn users when passwords are about to expire. To use the password expiration feature, the user account needs to have had password expiration enabled. The following examples use passwd to modify password expiration:

Set minimum password life to 2 days
$ sudo passwd -n 2 marvin

Set maximum password life to 300 days
$ sudo passwd -x 300 marvin

Warn of password expiration 10 days in advance
$ sudo passwd -w 10 marvin

Days after expiration account is disabled
$ sudo passwd -i 14 marvin

In the first example, the user must wait at least two days (-n 2) before changing to a new password. In the second, the user must change the password within 300 days (-x 300). In the next example, the user is warned 10 days before the password expires (-w 10). In the last example, the user account is disabled 14 days after the password expires (-i 14). To view password expiration, you can use the chage command as follows:

View password expiration information
$ sudo chage -l marvin
Last password change : Aug 04, 2007
Password expires : May 31, 2008
Password inactive : Jun 14, 2008
Account expires : never
Minimum number of days between password change : 2
Maximum number of days between password change : 300
Number of days of warning before password expires : 10

As system administrator, you can also use the chage command to manage password expiration. Besides being able to set minimum (-m), maximum (-M), and warning (-W) days for password expiration, chage can also set the day when a user must set a new password or a particular date the account becomes inactive:

Make account inactive in 40 days
$ sudo chage -I 40 marvin

Force user’s password to expire in 5 days
$ sudo chage -d 5 marvin

Instead of five days (-d 5), you could set that option to 0 and cause the user to have to set a new password the next time he or she logs in. For example, the next time the user marvin logged in, if -d 0 had been set, marvin would be prompted for a new password as follows:

login: marvin
Password: ********
You are required to change your password immediately (root enforced)
Changing password for marvin.
(current) UNIX password:
New UNIX password: *********
Retype new UNIX password: *********

Advertisements

About msotela

This blog is for anyone who wants to access the power of a Linux system as a systems administrator or user. You may be a Linux enthusiast, a Linux professional, or possibly a computer professional who is increasingly finding the Windows systems in your data center supplanted by Linux boxes.

Posted on September 23, 2009, in Unix/Linux. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: