Password Basics
On Linux, passwords are what prove you are who you say you are when you log in. The system doesn't store your actual password—it stores a hash (a one-way fingerprint) in /etc/shadow. When you type your password, the system hashes it and compares it to the stored hash. This lesson covers the basics: how to set and change passwords with the passwd command, how to check password aging with chage, and simple good practices. Only root can change other users' passwords; normal users can change only their own.
Quick Reference
| Command | What It Does | Common Use |
|---|---|---|
passwd |
Set or change a user's password | Setting a new password (self or another user as root) |
chage |
View or set password aging (expiration, warning) | Password policies, checking when a password expires |
When to Use These Commands
- Setting a password for a new user (after
useradd) - Changing your own password or (as root) another user's password
- Locking or unlocking an account (e.g.
passwd -l) - Checking or setting when a password expires and when the user is warned
passwd Command
passwd is the normal way to set or change a password. Without a username, it changes your own password; with a username, root can change that user's password.
Common Options for passwd
| Option | What It Does | When to Use It |
|---|---|---|
username |
Change that user's password (root only) | e.g. sudo passwd jdoe |
-l |
Lock the account (password invalid) | To disable login without deleting the user |
-u |
Unlock the account | To re-enable after -l |
-d |
Remove the password (empty password; root only) | Rare; use with caution |
-e |
Force password to expire so user must change it at next login | After setting a temporary password |
Practical Examples
Change your own password
# You'll be prompted for current password, then new password twice
passwdSet another user's password (root)
# Root sets password for jdoe (no current password needed)
sudo passwd jdoeLock and unlock an account
# Lock so user cannot log in with password
sudo passwd -l jdoe
# Unlock
sudo passwd -u jdoeForce password change at next login
# After setting a temporary password, force user to change it
sudo passwd jdoe
sudo passwd -e jdoechage Command
chage lets you view and set password aging: when the password was last changed, when it expires, how many days the user is warned, and when the account itself expires. Useful for security policies (e.g. "passwords must be changed every 90 days").
Common Options for chage
| Option | What It Does |
|---|---|
-l username |
List current aging info in a readable way |
-M days |
Maximum days the password is valid (after that it expires) |
-m days |
Minimum days between password changes |
-W days |
Days to warn before password expires |
-E YYYY-MM-DD |
Account expiration date |
-d YYYY-MM-DD |
Last password change date (can force change at next login with -d 0) |
View password aging
# See when password was last changed, when it expires, etc.
chage -l jdoeSet password to expire in 90 days
sudo chage -M 90 jdoeWarn user 7 days before expiration
sudo chage -W 7 jdoeTips for Success
- Always set a password after
useraddso the user can log in (unless it's a nologin account) - Use
passwd -eafter setting a temporary password so the user must change it - Use
chage -l usernameto see why a user might be unable to log in (expired, etc.)
Common Mistakes to Avoid
- Setting a weak or shared password; encourage strong, unique passwords
- Forgetting to set a password after creating a user (they can't log in)
- Locking yourself out by changing root's password incorrectly—double-check when using
sudo passwd
Best Practices
- Use
passwdto set and change passwords; don't edit/etc/shadowby hand - Use
chageto enforce password expiration and warnings where policy requires it - Use
passwd -lorusermod -Lto disable an account instead of deleting it when appropriate