This article is part of the following series.
- 2 ways to list all users in Linux
- 3 Easy Ways to add user to group in Linux
- 3 Ways to Lock a User Account in Linux
- 4 Ways to Find User Home Directory in Linux
Do you need to change your user password in Linux? Are you not sure how to do it? Don’t worry, we will show you how!
In this blog post, we will show you how to use passwd command to change password. Let’s get started!
Table of Contents
understanding user password in Linux
User passwords in Linux are securely stored in the system’s /etc/shadow file. This file is readable only by the root user, providing an extra layer of protection for the password hashes.
Linux uses a one-way hashing algorithm to store user passwords. The actual passwords are never stored in plain text. Instead, the system stores the hashed representation of the password, which is generated using a cryptographic function such as SHA-512.
When a user enters their password, the system hashes the input and compares it to the stored hashed value for authentication.
Password hashing in Linux is the hashing algorithm used in the /etc/shadow file to store user passwords.
The SHA-512 algorithm is commonly used for password hashing in modern Linux distributions.
Here’s an example of how a user’s password is stored in the /etc/shadow file:
Let’s say we have a user named “john” with the password “secretpassword”.
When the user “john” creates an account or changes their password, the system will hash the password using the SHA-512 algorithm and store it in the /etc/shadow file.
The entry in the /etc/shadow file looks something like this:
In this entry:
- john is the username.
- $6$ indicates that the SHA-512 algorithm is used for hashing.
- JLOR6LQH is a randomly generated salt value.
- zSN2VnJ8sXk1mjfSfKfK/CO6G0cIis6bXbC…334dde. is the hashed password (combining the salt and the password).
The use of a salt value is a crucial aspect of password hashing in Linux. The salt adds random data to the password before hashing, making it more resistant to various attacks, including rainbow table attacks.
When the user “john” attempts to log in, the system takes the provided password, hashes it with the stored salt value, and then compares the result with the stored hashed password. If they match, the user is granted access.
It’s important to note that this hashing process is one-way, meaning it is computationally infeasible to reverse the hashed value back to the original password.
change user password with passwd command in Linux
The easiest way to change the user password in Linux is using passwd command. Users can change their own password if they know their current password, while administrators (or users with superuser privileges) can change passwords for other user accounts.
Open a terminal window. Type in the passwd command. You will then be prompted to enter the old password and new password twice. Once you have done so, the user’s password will be changed.
Changing password for user howtouselinux.
Changing password for howtouselinux.
(current) UNIX password:
Retype new password:
passwd: all authentication tokens updated successfully.
If the new password meets the system’s password complexity requirements, it will be accepted, and you will see a confirmation message. If not, you will need to choose a different password that meets the requirements.
Note that if you are not logged in as the user whose password you want to change, you will need to have root privileges to change the password.
In this case, you can use the sudo command followed by the passwd command to change the password as the root user. For example, to change the password for the user “john” as the root user, type sudo passwd john.
The “passwd” command can also be used to expire passwords.
To do this, use the following command: passwd -e username. The user’s password will then be expired and they will be required to enter a new password the next time they log in.
You can use the “passwd” command to lock or unlock a user’s account. To lock an account in Linux, use the following command: passwd -l username. The user will not be able to log in until the account is unlocked.
Note that the account is not fully locked – the user can still log in by other means of authentication such as the ssh public key authentication. Use chage -E 0 user command instead for full account locking.
To unlock an account, use the following command: passwd -u username. Replace “username” with the actual username of the user whose account you want to unlock. The user will then be able to log in.
‘-i’ option in passwd command is used to set inactive days for a system user. This will come into the picture when the password of a user is expired and user didn’t change its password in ‘n’ number of days ( i.e 10 days in my case) then user will not able to login and its account will be disabled.
To display user / account status information, use -S option in passwd command. User’s status information consists of seven fields as shown below.
# passwd -S howtouselinux
howtouselinux PS 2022-09-20 0 99999 7 -1 (Password set, SHA512 crypt.)
By following the steps above, you can easily change, expire, or lock a user’s password in Linux.
Understanding Password Aging and Warning Periods
Configuring password aging and warning periods in Linux helps ensure that users change their passwords regularly and stay informed about upcoming password expiration.
Here’s how you can set up password aging and warning periods:
Open the /etc/login.defs file in a text editor with root privileges.
Look for the lines related to password aging settings. These lines may vary depending on the Linux distribution, but common parameters include:
- PASS_MAX_DAYS: Specifies the maximum number of days a password is valid before it must be changed.
- PASS_MIN_DAYS: Specifies the minimum number of days that must pass before a user can change their password again.
- PASS_WARN_AGE: Specifies the number of days before password expiration that users should start receiving warning messages.
Set the desired values for these parameters according to your password policy requirements. For example:
In this example, passwords will expire after 90 days (PASS_MAX_DAYS), users can change their passwords after at least 7 days (PASS_MIN_DAYS), and they will start receiving warning messages 7 days before their passwords expire (PASS_WARN_AGE).
Save the changes to the /etc/login.defs file.
Users will now receive password expiration warnings when they log in within the specified warning period. The exact method of notification depends on the Linux distribution and the configured system settings.
It’s important to note that the specific steps and configuration files may differ slightly based on the Linux distribution you are using. Therefore, it’s recommended to consult the documentation or manual specific to your distribution for accurate instructions.
By configuring password aging and warning periods, you encourage users to regularly update their passwords, improving overall security by reducing the risk of compromised accounts due to long-standing, unchanged passwords.
Tips to change user password in Linux
There are a few things to keep in mind when changing a user’s password in Linux.
First, make sure that you use a strong password. A strong password should be at least 8 characters long and contain a mix of upper and lower case letters, numbers, and symbols. You can use the pwgen command to generate a random, strong password.
It is also a good idea to avoid using easily guessed words or phrases in your password. For example, using your name or birthday as your password is not recommended. Instead, try to come up with a phrase that is meaningful to you but would be difficult for someone else to guess.
Remember to change your password regularly. This will help to ensure that your account remains secure.
Second, keep in mind that changing a user’s password will also change the password for any services that the user has set up. So, if the user has a website that is hosted on their account, they will need to update the password for that as well.
Finally, if you are the root user, you can change any user’s password. However, it is generally considered good practice to only change your own password and let each user change their own password.