How to Force Users to Change Their Passwords

Enforce system security through a strict password-rotation regime

Protect the security of your Linux system by forcing each authorized user to choose a strong password and to change it periodically.

User Password Expiry Information

chage list screen

To display a user's password expiry information run the following command:

chage -l login

The returned information reveals:

  • When the password was last changed
  • When the password expires
  • How many days of inactivity before the password expires
  • When the account expires
  • Minimum number of days between password changes
  • Maximum number of days between password changes
  • Number of days warning before the password expires.

How to Force a User to Change Their Password Every 90 Days

Force a user to change his or her password after a set number of days by using the following command:

sudo chage -M 90 login

Use sudo to elevate your permissions to run this command or switch to a user who has the appropriate permissions using the su command.

You can, of course, specify the number of days that suits your own security policy.

How to Set the Expiry Date for an Account

chage date

Set the expiry date for accounts as follows:

sudo chage -E 2020-08-31 login

If you run the chage -l command now, you'll see that the account will indeed expire on the 31st August 2020.

After an account is expired an administrator can clear the expiration date by running the following command:

sudo chage -E -1 login

Set the Number of Days After the Password Expires Before the Account Is Locked

Set the number of days after a password expires when an account becomes locked.

To set the number of inactive days run the following command:

sudo chage -I 5 login

The above command will give the user five days to access his account and change the password before the account becomes locked.

An administrator can clear the lock by running the following command:

sudo chage -I -1 login

How to Warn a User His Password Is About to Expire

Warn a user every time he or she logs in that the account's password is going to expire.

To expire the account in the next seven days, run the following command:

sudo chage -W 7 login

How to Prevent a User Changing Their Password Too Often

To prevent users from changing their password too often, set a minimum number of days before the password can be changed with the following command:

sudo chage -m 5 dave

It is up to you whether you enforce this option. Most people are lethargic when changing passwords as opposed to being obsessed with it.

Remove the limit by specifying the following command:

sudo chage -m 0 dave