Table of Contents
Linux passwd command changes a user’s password. A user can only change his/her own password but the root/superuser may change any user’s password.
Let’s look at the Linux man page to understand the usage of this command. This is done by typing in the following command:
Copy$ man passwd
Passwords in Linux
The traditional method of storing passwords in a UNIX based system involved storing the information in /etc/passwd file.
This file, however, was accessed by many programs and hence posed a security risk.
/etc/passwd file only contains essential user info required at login and authentication.
The actual encrypted version of the password is stored in a separate file –
/etc/shadow. This file can only be accessed by the root user.
file looks as follows:
Each line of the file contains general user information about a certain program or user. The fields are separated by
These field are as follow:
- Username (upto 8 characters)
- x to denote the password, which is stored in the
/etc/shadowfile in encrypted format.
- Numeric User ID.
- Numeric Group ID.
- Full username.
- Path of the home directory.
- Path of the preferred shell. (
/etc/shadowfile looks as follows (requires root access):
This file contains account and password information. The fields are separated by
The fields corresponding user account information are as follow:
- Username (upto 8 characters)
- The second field contains the encrypted password and is divided into sub-fields (separated by
$character).The first sub-field denotes the encryption algorithm used:Copy$1$ - MD5 $2a$ - Blowfish $2y$ - Blowfish(v2) $5$ - SHA-256 $6$ - SHA-512
Second sub-field contains the salt value used during the encryption process. Third sub-field contains the encrypted password.
- Number of days since the password was changed.
- Number of days before password may be changed (0 indicates it may be changed at any time).
- Number of days after which password must be changed.
- Number of days prior to the expiration of the password, that the user must be warned.
- Number of days after which the account is disabled after a password has expired.
- Days since Jan 1, 1970 that the account has been inactive or disabled.
- Reserve field for extra information.
Linux password Command Syntax
Copy$ passwd [options]... [LOGIN]...
1. Changing Current User’s password
Typing passwd prompts the user to first enter the current password. User only gets one chance the type in the correct password. If the password entered is incorrect or cannot be changed at the time, the terminal displays an error and exits.
Once the password is entered, it is encrypted and matched against the stored encrypted password. The user is then prompted to enter the new password twice. Both passwords need to be sufficiently complex and match each other in order to be accepted as valid passwords.
An error is displayed if the new password resembles the old one closely.
Once every criterion is met, the password for the current user is changed successfully.
2. Changing another User’s password
The following command is used to change the password of another user:
Copy$ sudo passwd adam
Since root access is required to change passwords of other users, the terminal prompts the user to enter the password. The process to change the password for other users is same as the current user.
Linux passwd Command Options
- -d or –delete option deletes the user’s password. It sets the user’s account passwordless.
- -e or –expire option immediately expires user’s password. This can force them to change their password.
- -h or –help option displays the help message and exits.
- -l or –lock option locks the password of the named account by adding a ‘!’ at the beginning of the password. This prevents the encrypted hash to be successfully matched against stored hash. Users with locked passwords cannot change their passwords.
- -i [INACTIVE_DAYS]or –inactive [INACTIVE_DAYS] option disables an account after the password has expired for a number of days.
- -n [MIN_DAYS] or –mindays [MIN_DAYS] option sets minimum number of days between password changes. A value of
0suggests a password can be changed anytime.
- -r [REPOSITORY] or –repository [REPOSITORY] option sets password for a particular repository.
- -S or –status displays account status information.
- -a or –all option shows the status for all users. It can only be used with -S.
- -u or –unlock options unlocks a locked password and sets to to it’s previous value.
- -w [WARN_DAYS] or –warndays [WARN_DAYS] option sets the number of days a warning is displayed before the password needs to be changed.
- -x or –maxdays [MAX_DAYS] option sets the maximum number of days a password remains valid. After that, password needs to be changed.
The output is split into different fields as shown above. The first field shows the name of the current user.
The second field shows if the user has a usable password (P), locked password (L) or no password (NP).
The third field shows the last date of the password change. The next few fields show the minimum age, maximum age, warning period and inactivity period of password respectively.
Linux passwd command is a basic but important command. It can be used to handle essential user information and authentication upon logging in the system and performing various tasks in the terminal like installing packages and accessing certain directories.