passwd Command
Change user passwords and manage account security settings in Linux systems.
Syntax
passwd [OPTIONS] [USERNAME]
The passwd command changes passwords for user accounts. A normal user may only change the password for their own account, while the superuser may change the password for any account.
Common Options
| Option | Description |
|---|---|
-l, --lock |
Lock the password of the named account |
-u, --unlock |
Unlock the password of the named account |
-d, --delete |
Delete the password for the named account |
-e, --expire |
Force password expiration |
-n, --minimum |
Set minimum password lifetime |
-x, --maximum |
Set maximum password lifetime |
-w, --warning |
Set password warning period |
-i, --inactive |
Set password inactive period |
-S, --status |
Display account status information |
--stdin |
Read password from standard input |
Basic Examples
Changing passwords
# Change your own password
passwd
# Change another user's password (as root)
sudo passwd username
# Change password from script (non-interactive)
echo "newpassword" | sudo passwd --stdin username
# Set password for new user
sudo passwd newuser
Basic password change operations
Account status management
# Lock user account
sudo passwd -l username
# Unlock user account
sudo passwd -u username
# Check account status
sudo passwd -S username
# Force password expiration
sudo passwd -e username
Manage account lock status and expiration
Password policies
# Set minimum password age (7 days)
sudo passwd -n 7 username
# Set maximum password age (90 days)
sudo passwd -x 90 username
# Set warning period (7 days before expiration)
sudo passwd -w 7 username
# Set inactive period (30 days after expiration)
sudo passwd -i 30 username
Configure password aging and policy settings
Advanced Usage
Batch password operations
# Set passwords from file
sudo chpasswd < passwords.txt
# Format of passwords.txt:
# username1:password1
# username2:password2
# Generate random passwords
for user in user1 user2 user3; do
password=$(openssl rand -base64 12)
echo "$password" | sudo passwd --stdin "$user"
echo "$user:$password" >> user_passwords.txt
done
# Bulk password expiration
for user in $(cat userlist.txt); do
sudo passwd -e "$user"
done
Automate password management for multiple users
Security operations
# Remove password (passwordless login)
sudo passwd -d username
# Lock account immediately
sudo passwd -l username
sudo usermod -L username # Alternative method
# Unlock and force password change
sudo passwd -u username
sudo passwd -e username
# Check if account is locked
sudo passwd -S username | grep -q "L" && echo "Locked" || echo "Unlocked"
Advanced security and account management operations
Password policy enforcement
# Set comprehensive password policy
sudo passwd -n 1 -x 90 -w 7 -i 30 username
# Apply policy to all users
for user in $(awk -F: '$3 >= 1000 {print $1}' /etc/passwd); do
sudo passwd -x 90 -w 7 "$user"
done
# Check password aging for all users
sudo passwd -Sa
# Find users with expired passwords
sudo passwd -Sa | awk '$2 ~ /P/ && $5 < 0 {print $1}'
Implement and enforce password policies system-wide
Password Status Information
Understanding status output
# Check single user status
sudo passwd -S username
# Example output:
# username P 01/15/2025 7 90 7 30
# | | | | | | |
# | | | | | | +-- Inactive period
# | | | | | +---- Warning period
# | | | | +------- Maximum age
# | | | +--------- Minimum age
# | | +-------------------- Last change date
# | +---------------------- Status (P=Password, L=Locked, NP=No Password)
# +------------------------------- Username
# Check all users
sudo passwd -Sa
Interpret password status information
Status codes explained
| Status | Description |
|---|---|
P |
Password set and valid |
L |
Password locked |
NP |
No password set |
Practical Examples
User onboarding
# Create user and set temporary password
sudo useradd -m newuser
echo "TempPass123!" | sudo passwd --stdin newuser
# Force password change on first login
sudo passwd -e newuser
# Set password policy
sudo passwd -n 1 -x 90 -w 7 newuser
# Verify setup
sudo passwd -S newuser
Set up new user accounts with proper password policies
Security incident response
# Lock compromised account immediately
sudo passwd -l compromised_user
# Lock multiple accounts
for user in user1 user2 user3; do
sudo passwd -l "$user"
echo "Locked account: $user"
done
# Force password reset for all users
for user in $(awk -F: '$3 >= 1000 {print $1}' /etc/passwd); do
sudo passwd -e "$user"
done
# Generate audit report
echo "Password Status Report - $(date)" > password_audit.txt
sudo passwd -Sa >> password_audit.txt
Respond to security incidents with password controls
Maintenance scripts
#!/bin/bash
# Password maintenance script
# Find accounts with passwords expiring soon
echo "Passwords expiring in 7 days:"
sudo passwd -Sa | awk '
$2 == "P" && $5 <= 7 && $5 > 0 {
print $1 " expires in " $5 " days"
}'
# Find locked accounts
echo "Locked accounts:"
sudo passwd -Sa | awk '$2 == "L" {print $1}'
# Find accounts without passwords
echo "Accounts without passwords:"
sudo passwd -Sa | awk '$2 == "NP" {print $1}'
# Send notifications
mail -s "Password Status Report" [email protected] < password_report.txt
Automate password maintenance and monitoring
Integration with Other Tools
Working with chage
# passwd and chage provide similar functionality
# Using passwd
sudo passwd -x 90 username
# Equivalent using chage
sudo chage -M 90 username
# View detailed aging info
sudo chage -l username
# Interactive password aging setup
sudo chage username
Use passwd with chage for comprehensive password management
LDAP and network authentication
# For LDAP users, use ldappasswd
ldappasswd -x -D "cn=admin,dc=company,dc=com" -W \
"uid=username,ou=people,dc=company,dc=com"
# For Kerberos users
kpasswd username
# Check if user is local or network
getent passwd username | grep -q ":" && echo "Found in system"
Handle passwords in network authentication environments
Security Best Practices
Password Policy Guidelines
- Enforce minimum password length (8+ characters)
- Require password complexity (mixed case, numbers, symbols)
- Set reasonable maximum password age (90 days)
- Provide adequate warning before expiration (7 days)
- Prevent password reuse
- Lock accounts after failed attempts
Security Considerations
- Never use --stdin in scripts - Passwords may be visible in process lists
- Secure temporary passwords - Use strong temporary passwords and force changes
- Monitor password changes - Log and audit password modifications
- Regular password audits - Check for weak or expired passwords
- Account lockout policies - Implement automatic lockouts for security
Troubleshooting
Common Issues
- Permission denied - Need appropriate privileges
- Password too weak - Doesn't meet system requirements
- Account locked - User account is locked
- Password unchanged - Within minimum age period
Common solutions
# Check password requirements
grep -E "^(PASS_|password)" /etc/login.defs
# Check PAM password requirements
grep password /etc/pam.d/common-password
# Unlock account if locked
sudo passwd -u username
sudo usermod -U username
# Reset minimum age to allow immediate change
sudo passwd -n 0 username
# Check account status
sudo passwd -S username
id username
Diagnose and resolve common password issues