How to Force User to Change Password in Linux

Force A User To Change Password Linux

There are plenty of reasons why you’d want to change a user’s password, but security is at the heart of all of them. Plenty of Linux admins force their users to change their passwords on a regular basis to prevent security breaches before any problems arise. Forcing a reset is also necessary after a problem has occurred to ensure that any lingering weaknesses are remedied.

The first, and probably best, method for forcing a user to reset their password is the chage command. It changes the age of a user’s password, and that can be used to forcibly expire an account. This method works across all logins, including SSH.

Expire password with chage

You’ll be using chage in conjunction with the -d flag. The -d flag sets the number of days since January 1, 1970 (the beginning of time in computing) that the user’s password has been changed. Setting that value to zero causes the password to immediately expire.

The next time the user signs in, they’ll be prompted to change their password. You can make sure that this worked with the -l flag. It lists information about the account.

You can also force a user’s password to expire with the usual passwd command. Passwd is used for all sorts of password management tasks, including setting expiration dates and immediately expiring passwords.

After a Set Time

Set an expiration time with passwd

Passwd is often used to force passwords to expire after a set duration, say thirty days. This is accomplished by passing a number of days to the -x flag.

You can give the user a heads-up a few days before their password expires with the -w flag. Pass it the number of days you want to warn the user before their password is no longer valid.

Immediately

passwd set instant expire

You can use passwd to immediately expire a user password, too. This will ignore any existing timers, and present the user with a message as soon as they go to log in again. The -e flag will handle this.

Whether you’re using chage or passwd, you can control all the passwords on your Linux system with relative ease. It’s generally good practice to set an expiration date for your passwords with passwd for regular operations and security practices. Then, in case of emergency, use chage to cut off an account instantly. If you suspect that a user’s account is the one that’s compromised, consider locking the account instead, as detailed in the passwd guide linked earlier.

One comment

  1. “Plenty of Linux admins force their users to change their passwords on a regular basis to prevent security breaches before any problems arise.”
    Sounds great in theory. I worked in an organization with over 7,000 PCs. The policy was that every 30 days user passwords must be changed. Passwords were supposed to be alphanumeric and contain special characters. The passwords were dutifully changed and they conformed to the requirements. However, at least 50% of the users had yellow sticky notes with their latest password stuck up someplace around their desk. Many others had the passwords written down and placed in one of their desk drawers. So much for system security! You can force the users to change their passwords but you cannot force them to memorize those passwords.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.

Sponsored Stories