How To Force Users To Change Their Passwords

Various clocks and the words tick tock tick tock

Lifewire

by Gary Newell
Gary Newell was a freelance contributor, application developer, and software tester with 20+ years in IT, working on Linux, UNIX, and Windows.
Updated March 25, 2019

Introduction

A system administrator's life is not an easy one. Maintaining system integrity, maintaining security, troubleshooting issues. There are so many spinning plates.

When it comes to security you need your users to choose a strong password and you need them to change it periodically.

This guide shows you how to force users to change their password using the change command.

User Password Expiry Information

To find out about a user's password expiry information run the following command:

chage -l

The returned information is as follows:

  • When the password was last changed
  • When the password expires
  • How many days of inactivity before the password expires
  • When the account expires
  • Minimum number of days between password changes
  • Maximum number of days between password changes
  • Number of days warning before the password expires.

How to Force a User to Change Their Password Every 90 Days

You can force a user to change their password after a set number of days by using the following command:

sudo chage -M 90

You will need to use sudo to elevate your permissions to run this command or switch to a user who has the appropriate permissions using the su command.

If you now run the chage -l command you will see that the expiry date is set and the maximum number of days is 90.

You can, of course, specify the number of days that suits your own security policy.

How to Set the Expiry Date for an Account

Imagine Uncle Dave and Aunty Joan are visiting your house for a holiday. You can create each of them an account using the following adduser command:

sudo adduser davesudo adduser joan

Now that they have accounts you can set their initial passwords using the passwd command as follows:

sudo passwd davesudo passwd joan

Imagine that Dave and Joan are leaving on the 31st of August 2020. You can set the expiry date for the accounts as follows:

sudo chage -E 2020-08-31 dave sudo chage -E 2020-08-31 joan

If you run the chage -l command now you should see that the account will indeed expire on the 31st August 2020.

After an account is expired an administrator can clear the expiration date by running the following command:

sudo chage -E -1 dave

Set the Number of Days After the Password Expires Before the Account Is Locked

You can set the number of days after a password expires when an account becomes locked. For example, if Dave's password expired on Wednesday and the number of inactive days is 2 then Dave's account will be locked on Friday.

To set the number of inactive days run the following command:

sudo chage -I 5 dave

The above command will give Dave 5 days to access his account and change the password before the account becomes locked.

An administrator can clear the lock by running the following command:

sudo chage -I -1 dave

How to Warn a User Their Password Is About to Expire

You can warn a user every time they log in that their password is going to expire.

For example, if you want Dave to be told that his password is going to expire in the next 7 days run the following command:

sudo chage -W 7 dave

How to Prevent a User Changing Their Password Too Often

If a user changes their password every day it probably isn't a good thing. In order to change your password every day and remember it, you must be using some sort of pattern.

To prevent a user changing their password too often you can set a minimum number of days before they can change the password.

sudo chage -m 5 dave

It is up to you whether you enforce this option. Most people are lethargic when changing passwords as opposed to being obsessed with it.

You can remove the limit by specifying the following command:

sudo chage -m 0 dave