passwd Command.
Both Linux and UNIX-like (UN*X) operating systems use the passwd command to change user's password. The passwd is used to update a user’s authentication token (password) stored in /etc/shadow file. The passwd change passwords for user and group accounts.
Key derivation function
How does it work? - the user's password is sent through a key derivation process to generate a hashed version of the new password, which is stored. For security reasons, only the hashed version is kept; the inputted password is not preserved at all. When a user logs in, the password entered during the log-in procedure is processed through the same key derivation method, and the resultant hashed version is compared to the stored version. If the hashes are the same, the password entered is assumed to be correct, and the user is authorized.
In theory, it is possible for two different passwords to produce the same hash.
However, cryptographic hash algorithms are built in such a manner that discovering any password that generates the same hash is extremely difficult and virtually impossible, thus the user may be verified if the created hash matches the stored one.
Overview
The passwd command changes passwords for user accounts. A normal user can only change their own password, but a superuser can change the password for any account. passwd may also modify or reset the account's validity period, which is the amount of time before the password expires and has to be updated.
A normal user must first provide their existing password for verification before they may change their password. (the superuser can skip this step when updating another user's password.)
After verifying the existing password, passwd checks to determine if the user is permitted to change their password at this time. Otherwise, passwd refuses to continue and exits.
Otherwise, the user is requested twice for a new password. For the passwd command to proceed, both entries must match.
Next, the password is tested for complexity. As a general guideline, passwords should consist of at least 6 characters, including one or more of each of the following:
- lower case letters
- digits 0 through 9
- punctuation marks
Change your password
Running passwd with no argument changes the password of the account running the command. You will first be prompted to enter the account's current password:
$ passwd
Changing password for snubmonkey.
Current password:
New password:
Retype new password:
You must choose a longer password
New password:
Retype new password:
passwd: password updated successfullyIf both the complexity and the passwords match, the password will be changed.
Change another user's password
If you have superuser privileges, you can change any user's password. To run as the superuser, we prefix the command with sudo. This command resets the password for user unicorn. You will not be prompted for unicorn's current password.
$ sudo passwd unicorn
New password:
Retype new password:
passwd: password updated successfullyWhere,
unicorn – is your username or account name.
Forcing a user to change password at the next login
By default, Linux passwords never expire for users. However, we can force users to change their password the next time they log in via GUI or CLI methods using the argument -e or --expire.
$ sudo passwd -e unicorn
[sudo] password for snubmonkey:
You can't get the wood, you know.
[sudo] password for snubmonkey:
passwd: password expiry information changed.Now, let's try to ssh:
$ autossh -M 20888 unicorn@192.168.2.222 -p 12345
You are required to change your password immediately (administrator enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for unicorn.
Current password:
New password:
Retype new password:
passwd: password updated successfully
Connection to 192.2.2.222 closed.
-S, --status
Using passwd with the --status argument displays all the information about a password and the validity periods. The shorter version is -S:
$ sudo passwd -S target
OUTPUT
target P 08/26/2021 6 12 7 16Here, we see the user's name (target), followed by a P, indicating that his password is currently valid and usable.
A locked account will indicate an L.
See more on our article Lock and Unlock accounts.
In our above example, our password will expire on Sept 11, 2021.
Target cannot change his password more often than every 6 days and must change the password every 12 days.
He/she will be warned 7 days before a required password change, and if he/she allows his password to expire, his/her account will be disabled 16 days later.
There are numerous commands to use with the passwd command.
List all the options if you forget any by running:
$ passwd --help
OR
$ passwd -h