Linux users must change their passwords from time to time to keep their accounts secure. And as a system administrator, it’s your responsibility to nudge them if they forget to change the password and continue using it for a long time.
On Linux, user passwords are set to expire after 99,999 days by default. However, you can override the default settings and set the passwords to expire immediately.
Here’s how to force Linux users to change their passwords at the next login.
Using the passwd Command
Using the passwd command, you can change a user’s password and settings related to password expiry. Note that you will need admin privileges to view or change the password-related settings.
To display user account status information, use the passwd command with the -S option:
sudo passwd -S username
The first field in the output shows the user’s login name. The second field displays P if the user has a valid and usable password, displays L if the user has a locked password, and displays NP if there’s no password set.
The third field displays the date when the password was last changed. The next fields display the minimum and maximum password age, followed by a warning and inactivity period (in days).
To expire a user’s password and force them to change it at the next login, use the passwd command with the -e or –expire option:
sudo passwd -e username
The system will ask the user to change their password at the next login. But before setting a new password, they’ll have to provide the current password.
You can also configure the password to expire after a certain number of days since it was last changed. For instance, to expire the user’s password after every 30 days, the command would be:
sudo passwd -x 30 username
Now the password will remain valid for 30 days. After that, the user must change their password.
To configure the minimum number of days before a user can make another password change, use the -n or –mindays option. For instance, to configure a minimum of five days between a password change, the command would be:
sudo passwd -n 5 username
Using the chage Command
In Linux, the chage command sets up an expiration policy for user passwords. You can use it to expire the user password immediately or after a certain number of days. Note that you will need admin privileges to view or change any password-related settings.
To check the password’s current aging information, use the chage command with the -l option:
sudo chage -l username
The output here shows that the password of the user was last changed on Oct 24, 2022, and it is configured to never expire.
To expire a user’s password immediately and force them to change it at the next login, use the chage command with the -d or –lastday option:
sudo chage -d 0 username
This command will immediately expire the user’s current password. Now if you view the password aging information, it will tell you that the user must change the password.
To configure the password to expire after a certain number of days after it was last changed, use the chage command with the -M or –maxdays option. For instance, to expire the user’s password after every 60 days, the command would be:
sudo chage -M 60 username
Now the user will have to change the password after 60 days from the day it was last changed. For instance, if the password was last changed on Oct 26, 2022, it will now expire on Dec 25, 2022.
You can also specify the minimum number of days before a user can make another password change. To do that, use the -m or –mindays option. For instance, to configure a minimum of five days between a password change, the command would be:
sudo chage -m 5 username
Keep Your User Accounts Secure on Linux
Enforcing users to change their passwords regularly helps keep their accounts secure and reduces the likelihood of a password attack. With the passwd and chage commands in Linux, you can expire users’ passwords and force them to change their passwords at the next login. However, it is important to use a strong password each time for your accounts.
If you find it difficult to come up with a strong and secure password each time, consider following some tips that make this task easier for you.