How to Force Users to Change Their Passwords on Linux

Passwords are the keystone to account security. We’ll show you how to reset passwords, set password expiration periods, and enforce password changes on your Linux network.

The Password Has Been Around for Nearly 60 Years

We’ve been proving to computers that we are who we say we are since the mid-1960s, when the password was first introduced. Necessity being the mother of invention, the Compatible Time-Sharing System developed at the Massachusetts Institute of Technology needed a way to identify different people on the system. It also needed to prevent people from seeing each other’s files.

Fernando J. Corbató proposed a scheme that allocated a unique username to each person. To prove someone was who they said they were, they had to use a private, personal password to access their account.

The trouble with passwords is they operate just like a key. Anyone who has a key can use it. If someone finds, guesses, or figures out your password, that person can access your account. Until multi-factor authentication is universally available, the password is the only thing keeping unauthorized people (threat actors, in cybersecurity-speak) out of your system.

Remote connections made by a Secure Shell (SSH) can be configured to use SSH keys instead of passwords, and that’s great. However, that’s only one connection method, and it doesn’t cover local logins.

Clearly, the management of passwords is vital, as is the management of the people who are using those passwords.

RELATED: How to Create and Install SSH Keys From the Linux Shell

The Anatomy of a Password

What makes a password good, anyway? Well, a good password should have all the following attributes:

• It’s impossible to guess or figure out.
• You haven’t used it anywhere else.
• It hasn’t have been involved in a data breach.

The Have I Been Pwned (HIBP) website contains over 10 billion sets of breached credentials. With figures that high, chances are someone else has used the same password you are. This means your password might be in the database, even though it wasn’t your account that was breached.

If your password is on the HIBP website, this means it’s on the lists of passwords threat actors’ brute-force and dictionary attack tools use when they’re trying to crack an account.

A truly random password (like 4HW@HpJDBr%*Wt@#b~aP) is practically invulnerable, but, of course, you’d never remember it. We highly recommend you use a password manager for online accounts. They generate complex, random passwords for all your online accounts, and you don’t have to remember them—the password manager supplies the correct password for you.

For local accounts, each person has to generate his or her own password. They’ll also need to know what is an acceptable password and what isn’t. They’ll have to be told not to reuse passwords on other accounts, and so on.

This information is usually in an organization’s Password Policy. It instructs people to use a minimum number of characters, mix upper- and lowercase letters, include symbols and punctuation, and so on.

However, according to a brand-new paper from a team at Carnegie Mellon University, all of these tricks add little or nothing to the robustness of a password. Researchers found that the two key factors for password robustness are that they’re at least 12 characters long and sufficiently strong. They measured password strength using a number of software cracker programs, statistical techniques, and neural networks.

A 12-character minimum might sound daunting at first. However, don’t think in terms of a password, but rather, a passphrase of three or four unrelated words separated by punctuation.

For example, the Experte Password Checker said it would take 42 minutes to crack “chicago99,” but 400 billion years to crack “chimney.purple.bag.” It’s also easy to remember and type, and contains only 18 characters.

RELATED: Why You Should Use a Password Manager, and How to Get Started

Reviewing Current Settings

Before you go changing anything to do with a person’s password, it’s prudent to have a look at their current settings. With the passwd command, you can review their current settings with its -S (status) option. Note that you’ll also have to use sudo with passwd if you’re working with someone else’s password settings.

We type the following:

sudo passwd -S mary

A single line of information is printed to the terminal window, as shown below.

You see the following pieces of information (from left to right) in that curt response:

• The person’s login name.
• One of the following three possible indicators appears here:
  • P: Indicates the account has a valid, working password.
  • L: Means the account has been locked by the owner of the root account.
  • NP: A password hasn’t been set.
• The date the password was last changed.
• Minimum password age: The minimum period of time (in days) that must elapse between password resets performed by the owner of the account. The owner of the root account, however, can always change anyone’s password. If this value is 0 (zero), there isn’t a restriction on the frequency of password changes.
• Maximum password age: The owner of the account is prompted to change his or her password when it reaches this age. This value is given in days, so a value of 99,999 means the password never expires.
• Password change warning period: If a maximum password age is enforced, the account owner will receive reminders to change his or her password. The first of these will be sent the number of days shown here before the reset date.
• Inactivity period for the password: If someone doesn’t access the system for a period of time that overlaps the password reset deadline, this person’s password won’t be changed. This value indicates how many days the grace period is following a password expiration date. If the account remains inactive this number of days after a password expires, the account is locked. A value of -1 disables the grace period.

Setting a Maximum Password Age

To set a password reset period, you can use the -x (maximum days) option with a number of days. You don’t leave a space between the -x and the digits, so you would type it as follows:

sudo passwd -x45 mary

We’re told the expiry value has been changed, as shown below.

Use the -S (status) option to check that the value is now 45:

sudo passwd -S mary

Now, in 45 days, a new password must be set for this account. Reminders will commence seven days prior to that. If a new password isn’t set in time, this account will be locked immediately.

Enforcing an Immediate Password Change

You can also use a command so others on your network will have to change their passwords the next time they log in. To do this, you would use the -e (expire) option, as follows:

sudo passwd -e mary

We’re then told the password expiry information has changed.

Let’s check with the -S option and see what’s happened:

sudo passwd -S mary

The date of the last password change is set to the first day of 1970. The next time this person tries to log in, he or she will have to change their password. They must also provide their current password before they can type a new one.

Should You Enforce Password Changes?

Forcing people to change their passwords regularly used to be common sense. It was one of the routine security steps for most installations and considered a good business practice.

The thinking now is the polar opposite. In the U.K., the National Cyber Security Centre strongly advises against enforcing regular password renewals, and the National Institute of Standards and Technology in the U.S. agrees. Both organizations recommend enforcing a password change only if you know or suspect an existing one is known by others.

Forcing people to change their passwords becomes monotonous and encourages weak passwords. People usually start reusing a base password with a date or other number tagged onto it. Or, they’ll write them down because they have to change them so often, they can’t remember them.

The two organizations we mentioned above recommend the following guidelines for password security:

• Use a password manager: For both online and local accounts.
• Turn on two-factor authentication: Wherever this is an option, use it.
• Use a strong passphrase: An excellent alternative for those accounts that won’t work with a password manager. Three or more words separated by punctuation or symbols is a good template to follow.
• Never reuse a password: Avoid using the same password you use for another account, and definitely don’t use one listed on Have I Been Pwned.

The tips above will allow you to establish a secure means to access your accounts. Once you have these guidelines in place, stick with them. Why change your password if it’s strong and secure? If it falls into the wrong hands—or you suspect that it has—you can change it then.

Sometimes, this decision is out of your hands, though. If the powers that be enforce password changes, you don’t have much choice. You can plead your case and make your position known, but unless you’re the boss, you’ll have to follow company policy.

RELATED: Should You Change Your Passwords Regularly?

The chage Command

You can use the chage command to change the settings regarding password aging. This command gets its name from “change aging.” It’s like the passwd command with the password-creation elements removed.

The -l (list) option presents the same information as the passwd -S command, but in a more friendly fashion.

We type the following:

sudo chage -l eric

Another neat touch is you can set an account expiration date using the -E (expiry) option. We’ll pass a date (in the year-month-date format) to set an expiration date of Nov. 30, 2020. On that date, the account will be locked.

We type the following:

sudo chage eric -E 2020-11-30

Next, we type the following to make sure this change has been done:

sudo chage -l eric

We see the account expiration date has changed from “never” to Nov. 30, 2020.

To set a password expiration period, you can use the -M (maximum days) option, along with the maximum number of days a password can used before it must be changed.

We type the following:

sudo chage -M 45 mary

We type the following, using the -l (list) option, to see the effect of our command:

sudo chage -l mary

The password expiration date is now set to 45 days from the date we set it, which, as we’re shown, will be Dec. 8, 2020.

Making Password Changes for Everyone on a Network

When accounts are created, a set of default values are used for passwords. You can define what the defaults are for the minimum, maximum, and warning days. These are then held in a file called “/etc/login.defs.”

You can type the following to open this file in gedit:

sudo gedit /etc/login.defs

Scroll to the password aging controls.

You can edit these to suit your requirements, save your changes, and then close the editor. The next time you create a user account, these default values will be applied.

If you want to change all the password expiration dates for existing user accounts, you can easily do so with a script. Just type the following to open the gedit editor and create a file called “password-date.sh”:

sudo gedit password-date.sh

Next, copy the following text into your editor, save the file, and then close gedit:

#!/bin/bash reset_days=28 for username in $(ls /home)
do sudo chage $username -M $reset_days echo $username password expiry changed to $reset_days
done

This will change the maximum number of days for each user account to 28, and therefore, the password reset frequency. You can adjust the value of the reset_days variable to suit.

First, we type the following to make our script executable:

chmod +x password-date.sh

Now, we can type the following to run our script:

sudo ./password-date.sh

Each account is then processed, as shown below.

We type the following to check the account for “mary”:

sudo change -l mary

The maximum days’ value has been set to 28, and we’re told that will fall on Nov. 21, 2020. You can also easily modify the script and add more chage or passwd commands.

---

Password management is something that must be taken seriously. Now, you have the tools you need to take control.