With proper settings, Linux users can be forced to periodically change their passwords. Here's how to view password aging settings and how to configure some of the settings. Credit: BlueBay2014 / Getty Images User passwords on Linux systems can be configured to be permanent or can be set to expire so that individuals must reset them periodically. Periodic password changing is generally considered good practice for security reasons, but is not configured by default. To view and modify password-aging settings, you need to be familiar with a couple important commands – the chage command along with its -l option and the passwd command with its -S. These commands, along with a few other chage commands that are used to configure password aging are described in this post. Viewing password aging settings The way to determine if password aging is in place for some particular account is to use the chage command as shown below. Note that root authority is needed to check any account other than your own. Notice the password expiration date below. $ sudo chage -l dory Last password change : Mar 15, 2020 Password expires : Jun 13, 2020 Password inactive : never Account expires : never Minimum number of days between password change : 10 Maximum number of days between password change : 90 Number of days of warning before password expires : 14 If password aging is not being applied, the account information would look like this: $ sudo chage -l nemo Last password change : Jan 14, 2019 Password expires : never You can also view some of this information using the passwd -S command, but you'll need to know what each of the fields in the output represents: dory$ passwd -S dory P 03/15/2020 10 90 14 -1 The seven fields here represent: 1 – username 2 – account status (L=locked, NP=no password, P=usable password) 3 – date of the last password change 4 – minimum age for a change (password cannot be changed if it isn’t this many days old) 5 – maximum age (password must be changed by the time it gets this many days old) 6 – number of days before a required change that warnings will be provided 7 – number of days after password expires before it is locked (made inactive) One interesting thing to note is that the chage command doesn’t show you if an account is locked; it only shows the password aging settings. The passwd -S command, on the other hand, will tell you when a password is locked. In this example, note that the account status is “L”: $ sudo passwd -S dorothy dorothy L 07/09/2019 0 99999 7 10 This locking takes effect in the /etc/shadow file with the field that normally contains the password “hash” field becoming just a “!”. $ sudo grep dorothy /etc/shadow dorothy:!:18086:0:99999:7:10:: That fact that an account is locked is not obvious in the chage output: $ sudo chage -l dorothy Last password change : Jul 09, 2019 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 Some options for password aging The most commonly used settings are for the minimum and maximum days. These are often used in combination. For example, you might configure a password so that it cannot be used for more than 90 days (maximum) and then add that it cannot be changed before it has been in effect for a week or 10 days (minimum days). This ensures that users won’t change a password when required and then immediately change it back to what it was previously. $ sudo chage -M 90 -m 10 shark $ sudo chage -l shark Last password change : Mar 16, 2020 Password expires : Jun 14, 2020 Password inactive : never Account expires : never Minimum number of days between password change : 10 You can also set a specific expiration date for an account using the -E option. $ sudo chage -E 2020-11-11 tadpole $ sudo chage -l tadpole Last password change : Oct 15, 2019 Password expires : never Password inactive : never Account expires : Nov 11, 2020 Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7 Password aging can be an important option as long as it doesn't encourage users to use passwords that are way too simple or write them down in insecure ways. For more information on controlling the character of passwords (e.g., combinations of uppercase and lowercase letters, digits, etc.), check out this post on password complexity. Related content how-to How to find files on Linux There are many options you can use to find files on Linux, including searching by file name (or partial name), age, owner, group, size, type and inode number. By Sandra Henry Stocker Jun 24, 2024 8 mins Linux opinion Linux in your car: Red Hat’s milestone collaboration with exida With contributions from Red Hat and critical collaborators, the safety and security of automotive vehicles has reached a new level of reliability. By Sandra Henry Stocker Jun 17, 2024 5 mins Linux how-to How to print from the Linux command line: double-sided, landscape and more There's a lot more to printing from the Linux command line than the lp command. Check out some of the many available options. By Sandra Henry Stocker Jun 11, 2024 6 mins Linux how-to Converting between uppercase and lowercase on the Linux command line Converting text between uppercase and lowercase can be very tedious, especially when you want to avoid inadvertent misspellings. Fortunately, Linux provides a handful of commands that can make the job very easy. By Sandra Henry Stocker Jun 07, 2024 5 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe