To ensure the security of a system and its users’ credentials, administrators may use different tools and methods to expire account passwords. This aspect is crucial to managing any system properly. The obvious benefit of expiring passwords is reducing the risk of unauthorized access by periodically making the users update their passwords. Thus, an administrator can render compromised passwords useful for only a limited time.
In this tutorial, we’ll provide an in-depth step-by-step guide on how to expire passwords. It will cover several methods such as using the passwd command with the -e option, chage command, usermod command, and the shadow password file. Importantly, superuser access is needed to run any of these commands for our purposes.
2. Using the passwd Command
The Linux community mostly uses the passwd command for changing passwords. Yet, we can also use it to expire a Linux user’s password, forcing them to change it upon their next login.
To achieve this, we use the –expire (-e for short) switch to immediately expire a certain user’s password:
$ sudo passwd -e cicada
After successfully executing the command, the password of the user “cicada” will expire immediately.
In fact, when the user attempts to log in with their old password, they’ll be prompted to change their password. Usually, the user is notified with a message like You are required to change your password immediately.
Let’s check an example where the user found out that their password has expired:
$ su - cicada Password: You are required to change your password immediately (administrator enforced). Changing password for cicada. Current password: New password: Retype new password:
As an aside, another way to expire passwords is by using the –maxdays (-x for short) option and specifying the maximum number of days a password should be valid for a user. Once that time frame is surpassed, the user will have to change their password. However, this approach is more suitable for setting up a certain password change policy.
3. Using the chage Command
We can use the chage command for changing and checking the aging information of an account’s password. Similar to the previous command, the chage command can be also utilized to force password expiration both instantly and after a predefined number of days.
To force a user to change their password immediately, we can use the -d (short for –lastday) option. We can set the number of days since January 1st, 1970 when the password will expire:
$ sudo chage -d 0 zack
Here, we passed 0 days as a value to the option, meaning the password of the user (zack) will expire immediately. As expected, they will be forced to change their password upon the next login attempt.
In contrast to the passwd command, chage provides the option to set a specific expiration date for a user’s whole account and not just for their password. So, contrary to setting a certain number of days, we can set a date using the –expiredate (-E for short) option:
$ chage -E 2023-01-21 smara
This use of chage won’t prompt the user to change their password, being that we expire the whole account with -E.
Let’s use the -d switch to expire the password alone based on a desired date. To do so, we can use the date command to calculate the number of days between the current date and the expiration date:
$ sudo chage -d $(($(date -d 2023-02-25 +%j) - $(date +%j))) smara
We’ve specified the expiration date using the -d option of the date command and also retrieved the current date. Then, we used the minus arithmetic operator to calculate the number of days between the two dates. Additionally, the +%j argument instructs the date command to invoke the day of the year (which is from 1 to 365 or 366).
4. Using the usermod Command
The usermod command is a utility for modifying settings and properties of existing users. However, just like the previously mentioned commands, we can use this to expire passwords immediately, after a certain number of days, or on a specific date.
The usermod command has the –inactive (-f for short) option which has the ability to expire passwords after a certain number of days. Just like before, we’ll expire a user immediately — after 0 days:
$ usermod -f 0 poco
When we invoke the above command, the system will notify the user (poco) that their password has expired and prompt them to change it upon their next successful login attempt.
If we want to set a specific expiration date rather than the number of days, then we can again use the date command to retrieve the number of days between the current and the desired date:
$ sudo usermod -d $(($(date -d 2023-02-25 +%j) - $(date +%j))) poco
Similar to the previous section, we utilized the date command. With some arithmetic, we calculate the number of days between the current date and the expiration date. Finally, we pass the result to the -d switch of usermod.
5. Using the /etc/shadow File
Now, we’ll discuss a different method that focuses on editing system files to expire users’ passwords. For instance, it’s possible to expire passwords by making changes to the /etc/shadow file. Moreover, we should practice this method with extra caution as it’s error-prone and may lock us out of the system since we’re editing a system file.
Thus, to edit the /etc/shadow file, we’ll use vipw. First, let’s locate the user password we want to expire:
Now, we modify the third colon-delimited argument related to the number of days until the password expires.
For instance, we can set the number of days to 0 to expire the user (bouhannana) password immediately:
The third argument represents the number of days since 1 January 1970 when the password will expire. So, the user will have to change their password the next time they attempt to log in.
Additionally, we can set a specific date for expiration. For this, we use the date command as illustrated in earlier sections.
In this article, we’ve discussed how to expire passwords and force users to change them upon their next login. We’ve covered several common methods and commands that can be used to accomplish this objective. These include the passwd, change, and usermod commands, and editing /etc/shadow. Furthermore, we’ve also tackled different ways to expire passwords:
- after a certain number of days
- on a specific date
Overall, we provided an in-depth look at the process of expiring passwords as an administrator.