Quick Links

Passwords have been a keystone of account security for 60 years, predating Unix by nearly a decade. Learn how to use either the command line or the GNOME desktop environment to manage your passwords in Linux.

How to Choose a Strong Password

The computer password was born from necessity. With the advent of multiuser time-sharing computer systems, the importance of separating and protecting people's data became apparent, and the password solved that problem.

Passwords are still the most common form of account authentication. Two-factor and multifactor authentication enhances password protection, and biometric authentication provides an alternative method of identification. However, the good old password is still with us and will be for a long time to come. This means you need to know how best to create and use them. Some of the older practices are no longer valid.

Here are some basic password rules:

  • Don't use passwords at all: Use passphrases instead. Three or four unrelated words connected by punctuation, symbols, or numbers make it much harder to crack than a string of gobbledygook or a password with vowels swapped out for numbers.
  • Don't re-use passwords: Don't do this on the same or different systems.
  • Don't share your passwords: Passwords are private. Don't share them with others.
  • Don't base passwords on personally significant information: Don't use family members' names, sports teams, favorite bands, or anything else that could be socially engineered or deduced from your social media.
  • Don't use pattern passwords: Don't base passwords on patterns or positions of keys, such as qwerty, 1q2w3e, and so on.

Password expiration policies are no longer best practice. If you adopt strong, secure passphrases, you'll only have to change them if you suspect they've been compromised. Regular password changes inadvertently promote poor password choices because many people use a base password and just add a date or digit to the end of it.

The National Institute of Standards and Technology has written extensively on passwords and user identification and authentication. Their comments are publicly available in Special Publication 800-63-3: Digital Authentication Guidelines.

The passwd File

Historically, Unix-like operating systems stored passwords, along with other information regarding each account, in the "/etc/passwd" file. Today, the "/etc/passwd" file still holds account information, but the encrypted passwords are held in the "/etc/shadow" file, which has restricted access. By contrast, anyone can look at the "/etc/passwd" file.

To peek inside the "/etc/passwd" file, type this command:

less /etc/passwd

less /etc/passwd in a terminal window

The contents of the file are displayed. Let's look at the details for this account called "mary."

contents of the passwd field displayed in less in a terminal window

Each line represents a single account (or a program that has a "user" account). There are the following seven colon-delimited fields:

  • User name: The login name for the account.
  • Password: An "x" indicates the password is stored in the /etc/shadow file.
  • User ID: The user identifier for this account.
  • Group ID: The group identifier for this account.
  • GECOS: This stands for General Electric Comprehensive Operating Supervisor. Today, the GECOS field holds a set of comma-delimited information about an account. This can include items like a person's full name, room number, or office and home phone numbers.
  • Home: The path to the account's home directory.
  • Shell: Started when the person logs in to the computer.

Empty fields are represented by a colon.

Incidentally, the finger command pulls its information from the GECOS field.

finger mary

finger mary in a terminal window

Related: How to Use the finger Command on Linux

The shadow File

To look inside the "/etc/shadow" file, you must use sudo:

sudo less /etc/shadow

sudo less /etc/shadow in a terminal window

The file is displayed. For every entry in the "/etc/passwd" file, there should be a matching entry in the "/etc/shadow" file.

contents of the shadow field isplayed in less in a terminal window

Each line represents a single account, and there are nine colon-delimited fields:

  • User name: The login name for the account.
  • Encrypted password: The encrypted password for the account.
  • Last change: The date on which the password was last changed.
  • Minimum Days: The minimum number of days required between password changes. The person has to wait this number of days before he can change his password. If this field contains a zero, he can change his password as often as he likes.
  • Maximum Days: The maximum number of days required between password changes. Typically, this field contains a very large number. The value set for "mary" is 99,999 days, which is over 27 years.
  • Alert Days: The number of days in advance of a password expiration date to display a reminder message.
  • Reset Lock-out: After a password expires, the system waits this number of days (a grace period) before it disables the account.
  • Account expiration date: The date on which the owner of the account will no longer be able to log in. If this field is blank, the account never expires.
  • Reserve field: A blank field for possible future use.

Empty fields are represented by a colon.

Getting the "Last change" Field as a Date

The Unix epoch started on January 1, 1970. The value for the "Last change" field is 18,209. This is the number of days after January 1, 1970, the password for the account "mary" was changed.

Use this command to see the "Last change" value as a date:

date -d "1970-01-01 18209 days"

date -d "1970-01-01 18209 days" in a terminal window

The date is shown as midnight on the day the password was last changed. In this example, it was November 9, 2019.

Password last changed date displayed as a regular date

The passwd Command

You use the passwd command to change your password, and---if you have sudo privileges---the passwords of others.

To change your password, use the passwd command with no parameters:

passwd

passwd command with no paramters in a terminal window

You must type your current password and your new one twice.

Output from the passwd command in a terminal window

Changing Someone Else's Password

To change the password of another account, you must use sudo, and provide the name of the account:

sudo passwd mary

sudo passwd mary in a terminal window

You must type your password to verify you have superuser privileges. Type the new password for the account, and then type it again to confirm.

Changing another user's password with passwd in a terminal window

Forcing a Password Change

To force someone to change her password the next time she logs in, use the -e (expire) option:

sudo passwd -e mary

sudo passwd -e mary in a terminal window

You're told the password expiration date has been changed.

sudo passwd -e mary in a terminal window

When the owner of the account "mary" next logs in, she'll have to change her password:

User forced to change their password at log in

Lock an Account

To lock an account, type passwd with the -l (lock) option:

sudo passwd -l mary

sudo passwd -l mary in a terminal window

You're told the password expiration date was changed.

Password expiry data change message in a terminal window

The owner of the account will no longer be able to log in to the computer with her password. To unlock the account, use the -u (unlock) option:

sudo passwd -u mary

sudo passwd -u mary in a terminal window

Again, you're informed that the password expiry data was changed:

Password expiry data change message in a terminal window

Again, the owner of the account will no longer be able to log into the computer with her password. However, she could still log in with an authentication method that doesn't require her password, such as SSH keys.

If you really want to lock someone out of the computer, you need to expire the account.

Related: How to Create and Install SSH Keys From the Linux Shell

The chage Command

No, there isn't an "n" in chage. It stands for "change age." You can use the chage command to set an expiration date for an entire account.

Let's take a look at the current settings for the "mary" account, with the -l (list) option:

sudo chage -l mary

sudo chage -l mary in a terminal window

The expiration date for the account is set to "never."

Output from chage command, showing an expiry date of never in a terminal window

To change the expiration date, use the -E (expiry) option. If you set it to zero, this is interpreted as "zero days from the Unix epoch," i.e., January 1, 1970.

Type the following:

sudo chage -E0 mary

sudo chage -E0 mary in a terminal widnow

Recheck the account expiration date:

sudo chage -l mary

sudo chage -l mary in a terminal window

Because the expiration date is in the past, this account is now truly locked, regardless of any authentication method the owner might use.

To reinstate the account, use the same command with -1 as the numerical parameter:

sudo chage -E -1 mary

sudo chage -E -1 mary in a terminal window

Type the following to double-check:

sudo chage -l mary

Output from the "chage" command, showing an account expiration date of "never" in a terminal window.

The account expiration date is reset to "never."

Changing an Account Password in GNOME

Ubuntu and many other Linux distributions use GNOME as the default desktop environment. You can use the "Settings" dialog to change the password for an account.

To do so, in the system menu, click the Settings icon.

Ubuntu system menu with the settings icon highlighted

In the Settings dialog, click "Details" in the pane on the left, and then click "Users."

Settings dialog with the users tab displayed

Click the account for which you want to change the password; in this example, we'll select "Mary Quinn." Click the account, and then click "Unlock."

Settings dialog with user may selected

You're prompted for your password. After you're authenticated, "Mary's" details become editable. Click the "Password" field.

Settings dialog with user mary unlocked

In the "Change Password" dialog, click the "Set a Password Now" radio button.

Change password dialog

Type the new password in the "New Password" and "Verify New Password" fields.

Change password dialog with fields completed

If the password entries match, the "Change" button turns green; click it to save the new password.

In other desktop environments, the account tools will be similar to those in GNOME.

Stay Safe, Stay Secure

For 60 years, the password has been an essential part of online account security, and it isn't going away any time soon.

This is why it's important to administer them wisely. If you understand the mechanisms of passwords in Linux and adopt the best password practices, you'll keep your system secure.

Linux Commands

Files

tar · pv · cat · tac · chmod · grep ·  diff · sed · ar · man · pushd · popd · fsck · testdisk · seq · fd · pandoc · cd · $PATH · awk · join · jq · fold · uniq · journalctl · tail · stat · ls · fstab · echo · less · chgrp · chown · rev · look · strings · type · rename · zip · unzip · mount · umount · install · fdisk · mkfs · rm · rmdir · rsync · df · gpg · vi · nano · mkdir · du · ln · patch · convert · rclone · shred · srm · scp · gzip · chattr · cut · find · umask · wc · tr

Processes

alias · screen · top · nice · renice · progress · strace · systemd · tmux · chsh · history · at · batch · free · which · dmesg · chfn · usermod · ps · chroot · xargs · tty · pinky · lsof · vmstat · timeout · wall · yes · kill · sleep · sudo · su · time · groupadd · usermod · groups · lshw · shutdown · reboot · halt · poweroff · passwd · lscpu · crontab · date · bg · fg · pidof · nohup · pmap

Networking

netstat · ping · traceroute · ip · ss · whois · fail2ban · bmon · dig · finger · nmap · ftp · curl · wget · who · whoami · w · iptables · ssh-keygen · ufw · arping · firewalld

RELATED: Best Linux Laptops for Developers and Enthusiasts