The passwd command in Linux: how to change user passwords securely

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction

In any Linux system, credential management is a fundamental task for maintaining security. The passwd command allows administrators and users themselves to change their passwords quickly and in a controlled manner. Through its various options it is possible not only to update the password, but also to lock accounts, set expiration policies, and check the authentication status. This article explains step by step how to use passwd effectively, with practical examples and best practice recommendations.

Basic syntax of the passwd command

The simplest way to invoke passwd is to just type its name in the terminal. Without arguments, the command prompts for the current password of the user running it and then asks twice for the new password to confirm it. The general syntax is:

passwd [options] [user]

If a username is specified, the command acts on that account provided the process has the necessary privileges (normally root or sudo privileges are required). Options modify the command’s behavior, allowing actions such as locking or unlocking the account, displaying status information, or defining expiration policies.

Changing your own user’s password

To change the password for your own user, open a terminal and run:

passwd

The system will prompt you for:

  1. Your current password.
  2. The new password.
  3. Confirmation of the new password.

If the two entries of the new password match and comply with the system’s complexity rules (minimum length, use of special characters, etc.), the password will be updated immediately. In case of error, the command will display a message and allow you to try again.

Changing another user’s password (requires privileges)

Administrators can modify the password of any system account. For example, to change the password for user juan run:

sudo passwd juan

After prompting for the sudo password (if configured), the system will ask for the new password for user juan and its confirmation. The current password of that account is not requested, because the root process has authority to overwrite it. This method is useful when you need to restore access for a user who has forgotten their password.

Useful passwd options

  • -l: Locks the user’s account, preventing authentication. It is frequently used when a compromise is suspected.
  • -u: Unlocks an account previously locked with -l.
  • -S: Displays brief information about the account status, such as whether it is locked, the date of the last change, and the expiration policy.
  • -n days: Sets the minimum number of days that must elapse before the user is allowed to change the password again.
  • -x days: Defines the maximum number of days the password remains valid; after that period the user is forced to change it.
  • -w days: Configures how many days before expiration the system will start warning the user.
  • -i days: Specifies the number of days of inactivity after expiration before the account is automatically locked.

These options can be combined according to security policy needs. For example, to set a 90-day expiration, with a warning 7 days prior and lockout after 3 days of inactivity following expiration, you could use:

sudo passwd -x 90 -w 7 -i 3 juan

Practical examples

Below are several common scenarios:

  • Force an immediate password change at the next login:
    • sudo passwd -e juan
  • View the status of the account for maria:
    • passwd -S maria
  • Temporarily lock a user’s account:
    • sudo passwd -l tempuser
  • Unlock it again:
    • sudo passwd -u tempuser

Security best practices

  • Use long and complex passwords, preferably generated by a password manager.
  • Change credentials periodically, following the policies defined with the -x and -w options.
  • Avoid reusing passwords across different services or accounts.
  • Regularly audit accounts with passwd -S to detect unusual states (such as locked accounts without reason).
  • Log password changes in the system logs to maintain an access history.

Conclusion

The passwd command is an essential tool for both regular users and Linux system administrators. Its simplicity in basic use combines with a wide set of options that allow rigorous security policies to be applied. Knowing its syntax, its modifiers, and best practices ensures that credentials remain protected and that the system can respond appropriately to incidents or compliance requirements. Mastering passwd directly contributes to a more secure

This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .