How To Linux How To Force Users To Change Their Passwords Share Pin Email Print Lifewire Linux Tips & Tricks Basics Guides & Tutorials Installing & Upgrading Commands Key Concepts by Gary Newell Gary Newell was a freelance contributor, application developer, and software tester with 20+ years in IT, working on Linux, UNIX, and Windows. Updated March 25, 2019 Introduction A system administrator's life is not an easy one. Maintaining system integrity, maintaining security, troubleshooting issues. There are so many spinning plates. When it comes to security you need your users to choose a strong password and you need them to change it periodically. This guide shows you how to force users to change their password using the change command. User Password Expiry Information To find out about a user's password expiry information run the following command: chage -l The returned information is as follows: When the password was last changedWhen the password expiresHow many days of inactivity before the password expiresWhen the account expiresMinimum number of days between password changesMaximum number of days between password changesNumber of days warning before the password expires. How to Force a User to Change Their Password Every 90 Days You can force a user to change their password after a set number of days by using the following command: sudo chage -M 90 You will need to use sudo to elevate your permissions to run this command or switch to a user who has the appropriate permissions using the su command. If you now run the chage -l command you will see that the expiry date is set and the maximum number of days is 90. You can, of course, specify the number of days that suits your own security policy. How to Set the Expiry Date for an Account Imagine Uncle Dave and Aunty Joan are visiting your house for a holiday. You can create each of them an account using the following adduser command: sudo adduser davesudo adduser joan Now that they have accounts you can set their initial passwords using the passwd command as follows: sudo passwd davesudo passwd joan Imagine that Dave and Joan are leaving on the 31st of August 2020. You can set the expiry date for the accounts as follows: sudo chage -E 2020-08-31 dave sudo chage -E 2020-08-31 joan If you run the chage -l command now you should see that the account will indeed expire on the 31st August 2020. After an account is expired an administrator can clear the expiration date by running the following command: sudo chage -E -1 dave Set the Number of Days After the Password Expires Before the Account Is Locked You can set the number of days after a password expires when an account becomes locked. For example, if Dave's password expired on Wednesday and the number of inactive days is 2 then Dave's account will be locked on Friday. To set the number of inactive days run the following command: sudo chage -I 5 dave The above command will give Dave 5 days to access his account and change the password before the account becomes locked. An administrator can clear the lock by running the following command: sudo chage -I -1 dave How to Warn a User Their Password Is About to Expire You can warn a user every time they log in that their password is going to expire. For example, if you want Dave to be told that his password is going to expire in the next 7 days run the following command: sudo chage -W 7 dave How to Prevent a User Changing Their Password Too Often If a user changes their password every day it probably isn't a good thing. In order to change your password every day and remember it, you must be using some sort of pattern. To prevent a user changing their password too often you can set a minimum number of days before they can change the password. sudo chage -m 5 dave It is up to you whether you enforce this option. Most people are lethargic when changing passwords as opposed to being obsessed with it. You can remove the limit by specifying the following command: sudo chage -m 0 dave Continue Reading