X
X
The Best Tech Newsletter Anywhere

Join 350,000 subscribers and get a daily digest of news, geek trivia, and our feature articles.

How to Change Account Passwords on Linux

A terminal window on a Linux system.
Fatmawati Achmad Zaenuri/Shutterstock

Passwords have been a keystone of account security for 60 years, predating Unix by nearly a decade. Learn how to use either the command line or the GNOME desktop environment to manage your passwords in Linux.

How to Choose a Strong Password

The computer password was born from necessity. With the advent of multiuser time-sharing computer systems, the importance of separating and protecting people’s data became apparent, and the password solved that problem.

Passwords are still the most common form of account authentication. Two-factor and multifactor authentication enhances password protection, and biometric authentication provides an alternative method of identification. However, the good old password is still with us and will be for a long time to come. This means you need to know how best to create and use them. Some of the older practices are no longer valid.

Here are some basic password rules:

  • Don’t use passwords at all: Use passphrases instead. Three or four unrelated words connected by punctuation, symbols, or numbers make it much harder to crack than a string of gobbledygook or a password with vowels swapped out for numbers.
  • Don’t re-use passwords: Don’t do this on the same or different systems.
  • Don’t share your passwords: Passwords are private. Don’t share them with others.
  • Don’t base passwords on personally significant information: Don’t use family members’ names, sports teams, favorite bands, or anything else that could be socially engineered or deduced from your social media.
  • Don’t use pattern passwords: Don’t base passwords on patterns or positions of keys, such as qwerty, 1q2w3e, and so on.

Password expiration policies are no longer best practice. If you adopt strong, secure passphrases, you’ll only have to change them if you suspect they’ve been compromised. Regular password changes inadvertently promote poor password choices because many people use a base password and just add a date or digit to the end of it.

The National Institute of Standards and Technology has written extensively on passwords and user identification and authentication. Their comments are publicly available in Special Publication 800-63-3: Digital Authentication Guidelines.

The passwd File

Historically, Unix-like operating systems stored passwords, along with other information regarding each account, in the “/etc/passwd” file. Today, the “/etc/passwd” file still holds account information, but the encrypted passwords are held in the “/etc/shadow” file, which has restricted access. By contrast, anyone can look at the “/etc/passwd” file.

To peek inside the “/etc/passwd” file, type this command:

less /etc/passwd

The "less /etc/passwd" command in a terminal window.

The contents of the file are displayed. Let’s look at the details for this account called “mary.”

The contents of the passwd file displayed in less in a terminal window.

Each line represents a single account (or a program that has a “user” account). There are the following seven colon-delimited fields:

  • User name: The login name for the account.
  • Password: An “x” indicates the password is stored in the /etc/shadow file.
  • User ID: The user identifier for this account.
  • Group ID: The group identifier for this account.
  • GECOS: This stands for General Electric Comprehensive Operating Supervisor. Today, the GECOS field holds a set of comma-delimited information about an account. This can include items like a person’s full name, room number, or office and home phone numbers.
  • Home: The path to the account’s home directory.
  • Shell: Started when the person logs in to the computer.

Empty fields are represented by a colon.

Incidentally, the finger command pulls its information from the GECOS field.

finger mary

The "finger mary" command in a terminal window.

RELATED: How to Use the finger Command on Linux

The shadow File

To look inside the “/etc/shadow” file, you must use sudo:

sudo less /etc/shadow

The "sudo less /etc/shadow" command in a terminal window.

The file is displayed. For every entry in the “/etc/passwd” file, there should be a matching entry in the “/etc/shadow” file.

The contents of the shadow field displayed in less in a terminal window.

Each line represents a single account, and there are nine colon-delimited fields:

  • User name: The login name for the account.
  • Encrypted password: The encrypted password for the account.
  • Last change: The date on which the password was last changed.
  • Minimum Days: The minimum number of days required between password changes. The person has to wait this number of days before he can change his password. If this field contains a zero, he can change his password as often as he likes.
  • Maximum Days: The maximum number of days required between password changes. Typically, this field contains a very large number. The value set for “mary” is 99,999 days, which is over 27 years.
  • Alert Days: The number of days in advance of a password expiration date to display a reminder message.
  • Reset Lock-out: After a password expires, the system waits this number of days (a grace period) before it disables the account.
  • Account expiration date: The date on which the owner of the account will no longer be able to log in. If this field is blank, the account never expires.
  • Reserve field: A blank field for possible future use.

Empty fields are represented by a colon.

Getting the “Last change” Field as a Date

The Unix epoch started on January 1, 1970. The value for the “Last change” field is 18,209. This is the number of days after January 1, 1970, the password for the account “mary” was changed.

Use this command to see the “Last change” value as a date:

date -d "1970-01-01 18209 days"

The 'date -d "1970-01-01 18209 days"' command in a terminal window.

The date is shown as midnight on the day the password was last changed. In this example, it was November 9, 2019.

The "password last changed" date displayed as a date in a terminal window.

The passwd Command

You use the passwd command to change your password, and—if you have sudo privileges—the passwords of others.

To change your password, use the passwd command with no parameters:

passwd

The "passwd" command with no paramters in a terminal window.

You must type your current password and your new one twice.

Output from the "passwd" command in a terminal window.

Changing Someone Else’s Password

To change the password of another account, you must use sudo, and provide the name of the account:

sudo passwd mary

The "sudo passwd mary" command in a terminal window.

You must type your password to verify you have superuser privileges. Type the new password for the account, and then type it again to confirm.

Changing another user's password with the "passwd" command in a terminal window.

Forcing a Password Change

To force someone to change her password the next time she logs in, use the -e (expire) option:

sudo passwd -e mary

The "sudo passwd -e mary" command in a terminal window.

You’re told the password expiration date has been changed.

The "password expiry information changed" confirmation in a terminal window.

When the owner of the account “mary” next logs in, she’ll have to change her password:

The "Warning: Your password has expired" window.

Lock an Account

To lock an account, type passwd with the -l (lock) option:

sudo passwd -l mary

The "sudo passwd -l mary" command in a terminal window.

You’re told the password expiration date was changed.

The password expiry data change message in a terminal window.

The owner of the account will no longer be able to log in to the computer with her password. To unlock the account, use the -u (unlock) option:

sudo passwd -u mary

The "sudo passwd -u mary" command in a terminal window.

Again, you’re informed that the password expiry data was changed:

The password expiry data change message in a terminal window.

Again, the owner of the account will no longer be able to log into the computer with her password. However, she could still log in with an authentication method that doesn’t require her password, such as SSH keys.

If you really want to lock someone out of the computer, you need to expire the account.

RELATED: How to Create and Install SSH Keys From the Linux Shell

The chage Command

No, there isn’t an “n” in chage. It stands for “change age.” You can use the chage command to set an expiration date for an entire account.

Let’s take a look at the current settings for the “mary” account, with the -l (list) option:

sudo chage -l mary

The "sudo chage -l mary" command in a terminal window.

The expiration date for the account is set to “never.”

Output from "chage" command, showing an account expiration date of "never" in a terminal window.

To change the expiration date, use the -E (expiry) option. If you set it to zero, this is interpreted as “zero days from the Unix epoch,” i.e., January 1, 1970.

Type the following:

sudo chage -E0 mary

The "sudo chage -E0 mary" command in a terminal window.

Recheck the account expiration date:

sudo chage -l mary

Output from "chage" command, showing an account expiration date of "Jan 01, 1970" in a terminal window.

Because the expiration date is in the past, this account is now truly locked, regardless of any authentication method the owner might use.

To reinstate the account, use the same command with -1 as the numerical parameter:

sudo chage -E -1 mary

The "sudo chage -E -1 mary" command in a terminal window.

Type the following to double-check:

sudo chage -l mary

Output from the "chage" command, showing an account expiration date of "never" in a terminal window.

The account expiration date is reset to “never.”

Changing an Account Password in GNOME

Ubuntu and many other Linux distributions use GNOME as the default desktop environment. You can use the “Settings” dialog to change the password for an account.

To do so, in the system menu, click the Settings icon.

Click the Settings icon.

In the Settings dialog, click “Details” in the pane on the left, and then click “Users.”

Click "Users" in the pane on the left.

Click the account for which you want to change the password; in this example, we’ll select “Mary Quinn.” Click the account, and then click “Unlock.”

Click "Unock."

You’re prompted for your password. After you’re authenticated, “Mary’s” details become editable. Click the “Password” field.

Click the "Password" field.

In the “Change Password” dialog, click the “Set a Password Now” radio button.

Click the "Set a Password Now" radio button.

Type the new password in the “New Password” and “Verify New Password” fields.

Type the new password in the "New Password" and "Verify New Password" fields.

If the password entries match, the “Change” button turns green; click it to save the new password.

In other desktop environments, the account tools will be similar to those in GNOME.

Stay Safe, Stay Secure

For 60 years, the password has been an essential part of online account security, and it isn’t going away any time soon.

This is why it’s important to administer them wisely. If you understand the mechanisms of passwords in Linux and adopt the best password practices, you’ll keep your system secure.

Dave McKay Dave McKay
Dave McKay first used computers when punched paper tape was in vogue, and he has been programming ever since. After over 30 years in the IT industry, he is now a full-time technology journalist. During his career, he has worked as a freelance programmer, manager of an international software development team, an IT services project manager, and, most recently, as a Data Protection Officer. Dave is a Linux evangelist and open source advocate.
Read Full Bio »

The above article may contain affiliate links, which help support How-To Geek.
How-To Geek is where you turn when you want experts to explain technology. Since we launched in 2006, our articles have been read more than 1 billion times. Want to know more?

x

The Best Tech Newsletter Anywhere

Join 350,000 subscribers and get a daily digest of news, comics, trivia, reviews, and more.