Linux Change User Password (passwd)

Linux Change User Password

This tutorial explains how to use the Linux passwd command to change a user password or disable an account.

You’re assigned a ticket: A simple password reset, but it’s for a Linux machine. What do you need to know to reset a password on Linux?

First the basics. For users, the passwd authentication token is store in the /etc/shadow file. For groups, it’s stored in the appropriately named /etc/gshadow file.

passwd allows you to change passwords for either. The normal usage of passwd is:

  • Reset password
  • Expire, lock, and disable an account
  • Reset your own account

Let’s dig into the options.

Change Password

The basic:

passwd

When entered into the terminal, this will prompt you to change your own password.

Changing password for samuelberry.
Current password:
Enter new password:
Retype new password:
passwd: password updated succesfully

Simple enough. You’re first prompted with entering your current password. The password’s hash is compared to the hash stored in the shadow file. Then, the password is compared against complexity requirements.

Alright, now we need to reset another user’s password. It’s simple and the prompts will be the same except one.

sudo passwd samuelberry

Now the output skips the password step. As we’re using root privileges to control the account.

Enter new password:
Retype new password:
passwd: password updated succesfully

Updating my own password, as the root user. It’s the same process as editing another account.

You could also check the pam_tally2 history to check for a locked account. Or cat the /etc/shadow file to see if the account is also locked or disabled.

The process for a group is the same, but requires the extra [-g] flag.

Disable an Account

Let’s assume a user has requested that their account be disabled. They’ll be out for thirty days of travel and need to secure it before they go.

passwd -le

There we go, account locked [-l] and expired [-e]. I prefer to expire the account as well. That way if the account is compromised, you can monitor account activity.

If the account’s password is reset while the user is out, you can configure an alert for the activity. To verify the account is locked:

passwd -S

Conclusion

We’ve covered how to change a users’ password using the passwd command and how to disable and expire an account. Simple enough.

There are some additional steps required in performing a system recovery. If you’ve locked out your server, chances are you’ll need to enter single-user-mode. Or if you’re working with LDAP accounts, Microsoft AD accounts, you’ll need to reset the password from the directory.

SHARE:
nv-author-image

Samuel Berry

I'm a writer, in the sense that there are words written and things needing explaining. Years of schooling, running on twelve now, taught me one thing, I like taking the complicated down to complex. So, I'm writing about Linux. One of those things that starts as complicated, and after a few years turns into complex. Until the next new thing rolls out anyways. Working in IT, I learned advocating for your product is the only way to ensure adoption. Providing user manuals, pictures, diagrams, and everything else possible to our community. That's what builds the "user-friendly" experience. Not only design, but inclusion. Talk to me about Linux, I'm here to learn by teaching.

Leave a Reply

Your email address will not be published. Required fields are marked *