chpasswd Command

Update passwords for multiple users in batch mode, reading username:password pairs from standard input or files.

Syntax

chpasswd [OPTIONS] echo "username:password" | chpasswd chpasswd < passwordfile

The chpasswd command reads username:password pairs and updates user passwords in batch mode, useful for system administration tasks.

Common Options

Option Description
-e Passwords are already encrypted
-m Use MD5 encryption instead of DES
-c METHOD Use specified encryption method
-s ROUNDS Number of rounds for SHA encryption
-R CHROOT_DIR Apply changes in chroot directory
--help Display help information

Basic Usage

Single user password change

# Change password for single user echo "john:newpassword123" | sudo chpasswd # Change password with pipe printf "alice:secretpass\n" | sudo chpasswd # Multiple users at once echo -e "john:pass123\nalice:pass456\nbob:pass789" | sudo chpasswd

Change passwords for individual users

Using password files

# Create password file cat > passwords.txt << EOF john:newpass123 alice:secretword bob:mypassword charlie:strongpass EOF # Apply passwords from file sudo chpasswd < passwords.txt # Secure the password file chmod 600 passwords.txt # Remove password file after use shred -u passwords.txt

Use files to manage multiple password changes

Encrypted passwords

# Generate encrypted password encrypted=$(openssl passwd -6 "mypassword") echo "john:$encrypted" | sudo chpasswd -e # Use pre-encrypted passwords echo "alice:\$6\$salt\$hashedpassword" | sudo chpasswd -e # From /etc/shadow format sudo chpasswd -e < encrypted_passwords.txt

Work with pre-encrypted passwords

Advanced Usage

Encryption methods

# Use SHA-512 encryption (recommended) echo "john:password123" | sudo chpasswd -c SHA512 # Use SHA-256 encryption echo "alice:password456" | sudo chpasswd -c SHA256 # Use MD5 encryption (legacy) echo "bob:password789" | sudo chpasswd -m # Specify rounds for SHA encryption echo "charlie:strongpass" | sudo chpasswd -c SHA512 -s 10000

Use different encryption methods

Batch user creation and password setting

#!/bin/bash # Create users and set passwords users_data=" john:John Doe:password123 alice:Alice Smith:secretword bob:Bob Johnson:mypassword " # Create users first echo "$users_data" | while IFS=: read -r username fullname password; do if [ -n "$username" ]; then sudo useradd -m -c "$fullname" "$username" echo "Created user: $username" fi done # Set passwords echo "$users_data" | while IFS=: read -r username fullname password; do if [ -n "$username" ]; then echo "$username:$password" fi done | sudo chpasswd echo "Users created and passwords set"

Combine user creation with password setting

Random password generation

#!/bin/bash generate_password() { # Generate random password openssl rand -base64 12 | tr -d "=+/" | cut -c1-12 } # Generate passwords for multiple users users=("john" "alice" "bob" "charlie") password_file="/tmp/new_passwords.txt" # Generate and store passwords > "$password_file" for user in "${users[@]}"; do if id "$user" &>/dev/null; then password=$(generate_password) echo "$user:$password" >> "$password_file" echo "Generated password for $user: $password" fi done # Apply passwords sudo chpasswd < "$password_file" # Secure cleanup chmod 600 "$password_file" echo "Passwords updated. Secure the password file: $password_file"

Generate and set random passwords

Practical Examples

New employee onboarding

#!/bin/bash onboard_employees() { local csv_file="$1" local temp_pass_file="/tmp/employee_passwords.txt" # Read CSV file (username,fullname,department,email) while IFS=, read -r username fullname department email; do # Skip header line [[ "$username" == "username" ]] && continue # Generate temporary password temp_password="Welcome$(date +%Y)!" # Create user account sudo useradd -m -c "$fullname" -s /bin/bash "$username" # Add to appropriate groups case $department in "IT") sudo usermod -a -G sudo,adm "$username" ;; "HR") sudo usermod -a -G hr "$username" ;; "Finance") sudo usermod -a -G finance "$username" ;; esac # Store password for batch update echo "$username:$temp_password" >> "$temp_pass_file" echo "Created account for $fullname ($username)" done < "$csv_file" # Set all passwords at once sudo chpasswd < "$temp_pass_file" # Force password change on first login while IFS=: read -r username _; do sudo chage -d 0 "$username" done < "$temp_pass_file" # Secure cleanup chmod 600 "$temp_pass_file" echo "Employee onboarding complete. Password file: $temp_pass_file" } # Usage: onboard_employees employees.csv

Automate employee onboarding process

Password reset for multiple users

#!/bin/bash reset_passwords() { local user_list="$1" local reset_file="/tmp/password_reset_$(date +%Y%m%d_%H%M%S).txt" echo "=== Password Reset Process ===" echo "Date: $(date)" echo "Reset file: $reset_file" echo # Generate new passwords while read -r username; do # Skip empty lines and comments [[ -z "$username" || "$username" =~ ^# ]] && continue if id "$username" &>/dev/null; then # Generate secure password new_password=$(openssl rand -base64 16 | tr -d "=+/" | cut -c1-12) # Store for batch update echo "$username:$new_password" >> "$reset_file" echo "Reset password for: $username" else echo "User not found: $username" fi done < "$user_list" # Apply password changes if [ -f "$reset_file" ]; then sudo chpasswd < "$reset_file" # Force password change on next login while IFS=: read -r username _; do sudo chage -d 0 "$username" echo "Forced password change for: $username" done < "$reset_file" # Set secure permissions chmod 600 "$reset_file" echo echo "Password reset complete!" echo "Users must change passwords on next login" echo "New passwords stored in: $reset_file" fi } # Create user list file cat > users_to_reset.txt << EOF john alice bob # charlie - skip this user EOF # Run password reset reset_passwords users_to_reset.txt

Reset passwords for multiple users

Service account management

#!/bin/bash manage_service_accounts() { local config_file="service_accounts.conf" local password_file="/tmp/service_passwords.txt" # Service account configuration cat > "$config_file" << EOF # Service accounts configuration # Format: username:description:shell:groups webapp:Web Application Service:/bin/false:www-data dbbackup:Database Backup Service:/bin/bash:backup monitoring:System Monitoring:/bin/false:adm apiservice:API Service Account:/bin/false:api EOF echo "Creating service accounts..." # Process service accounts while IFS=: read -r username description shell groups; do # Skip comments and empty lines [[ "$username" =~ ^#.*$ || -z "$username" ]] && continue # Generate strong password password=$(openssl rand -base64 24 | tr -d "=+/") # Create service account sudo useradd -r -m -c "$description" -s "$shell" "$username" # Add to groups if [ -n "$groups" ]; then sudo usermod -a -G "$groups" "$username" fi # Store password echo "$username:$password" >> "$password_file" # Set password aging (no expiration for service accounts) sudo chage -I -1 -m 0 -M 99999 -E -1 "$username" echo "Created service account: $username" done < "$config_file" # Set passwords sudo chpasswd < "$password_file" # Secure password file chmod 600 "$password_file" echo "Service accounts created. Passwords in: $password_file" } manage_service_accounts

Manage service accounts with batch passwords

Best Practices

chpasswd Security Best Practices
  • Always use secure file permissions (600) for password files
  • Delete or shred password files after use
  • Use strong encryption methods (SHA-512 recommended)
  • Generate random passwords for better security
  • Force users to change temporary passwords on first login
  • Log password change activities for audit trails
  • Never store passwords in plain text permanently
Security Considerations
  • File security - Password files contain sensitive data
  • Process visibility - Passwords may be visible in process lists
  • Root access - chpasswd requires administrative privileges
  • Audit logging - Password changes should be logged
  • Temporary files - Clean up temporary password files

See also