How to view and configure password expiration on Linux

With the right settings, you can force Linux users to change their passwords regularly. Here's how to check your password aging settings and how to change them.

User passwords on Linux systems can be configured to be permanent or to have an expiration date so that people have to reset them periodically. For security reasons, it is generally considered good practice to change passwords regularly, but this is not configured by default.

To view and modify password expiration, you need to be familiar with several important commands: the chage command and its -l option, and the passwd command and its -S option. This article will introduce these commands, as well as some other chage command options to configure password aging.

View password expiration settings

The way to determine whether a password expiration has been set for a specific account is to use the following chage command. Note that any account other than your own requires root privileges. Please note the password expiration date below.

$ sudo chage -l dory
Last password change : Mar 15, 2020
Password expires: Jun 13, 2020 <==
Password inactive : never
Account expires: never
Minimum number of days between password change: 10
Maximum number of days between password changes: 90
Number of days of warning before password expires: 14

If password aging is not applied, the account information will look like this:

$ sudo chage -l nemo
Last password change : Jan 14, 2019
Password expires: never <==
Password inactive : never
Account expires: Mar 26, 2706989
Minimum number of days between password change: 0
Maximum number of days between password changes: 99999
Number of days of warning before password expires: 7

You can also use the passwd -S command to view some information, but you need to know what each field in the output represents:

dory$ passwd -S
dory P 03/15/2020 10 90 14 -1

The seven fields here represent:

• 1 – Username
• 2 - Account Status (L = Locked, NP = No Password, P = Password Available)
• 3 – Date of last password change
• 4 – Minimum age for change (if it is less than this many days, the password cannot be changed)
• 5 – Maximum age (after this number of days, the password must be changed)
• 6 – Number of days of warning before password expiration
• 7 – Number of days after password expiration before being locked (set to invalid)

One thing to note is that the chage command does not show whether an account is locked out; it only shows the password aging settings. On the other hand, the passwd -S command will tell you how long your password has been locked. In this example, note that the account status is L:

$ sudo passwd -S dorothy
dorothy L 07/09/2019 0 99999 7 10

This is done by changing the "hash" field in the /etc/shadow file that normally contains the password to !, thus locking it down.

$ sudo grep dorothy /etc/shadow
dorothy:!:18086:0:99999:7:10:: <==

The fact that the account is locked is not obvious from the chage output:

$ sudo chage -l dorothy
Last password change : Jul 09, 2019
Password expires: never
Password inactive : never
Account expires: never
Minimum number of days between password change: 0
Maximum number of days between password changes: 99999
Number of days of warning before password expires: 7

Some options for password aging

The most common settings are the minimum and maximum number of days. They are often used in combination. For example, you can configure a password so that it cannot be used for more than 90 days (maximum), and then add a password that is valid for a week or 10 days (minimum). This ensures that users do not revert to their old passwords immediately after they are required to change their passwords.

$ sudo chage -M 90 -m 10 shark
$ sudo chage -l shark
Last password change : Mar 16, 2020
Password expires: Jun 14, 2020
Password inactive : never
Account expires: never
Minimum number of days between password change: 10 <==
Maximum number of days between password change: 90 <==
Number of days of warning before password expires: 7

You can also set a specific expiration date for the account using the -E option.

$ sudo chage -E 2020-11-11 tadpole
$ sudo chage -l tadpole
Last password change : Oct 15, 2019
Password expires: never
Password inactive : never
Account expires: Nov 11, 2020 <==
Minimum number of days between password change: 0
Maximum number of days between password changes: 99999
Number of days of warning before password expires: 7

Password aging can be an important option, as long as it does not encourage users to use passwords that are too simple or to write them down in an insecure manner. For more information on controlling password characters (e.g., a combination of uppercase and lowercase letters, numbers, etc.), refer to this article on password complexity.

Summarize

This is the end of this article about viewing and configuring password expiration on Linux. For more information about viewing and configuring password expiration on Linux, please search for previous articles on 123WORDPRESS.COM or continue to browse the related articles below. I hope you will support 123WORDPRESS.COM in the future!