{"id":104701,"date":"2020-11-04T11:00:13","date_gmt":"2020-11-04T08:00:13","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-force-users-to-change-their-passwords-on-linux\/"},"modified":"2020-11-04T11:00:13","modified_gmt":"2020-11-04T08:00:13","slug":"how-to-force-users-to-change-their-passwords-on-linux","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/","title":{"rendered":"#How to Force Users to Change Their Passwords on Linux"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2edcced9f6b\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2edcced9f6b\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#The_Password_Has_Been_Around_for_Nearly_60_Years\" >The Password Has Been Around for Nearly 60 Years<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#The_Anatomy_of_a_Password\" >The Anatomy of a Password<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#Reviewing_Current_Settings\" >Reviewing Current Settings<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#Setting_a_Maximum_Password_Age\" >Setting a Maximum Password Age<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#Enforcing_an_Immediate_Password_Change\" >Enforcing an Immediate Password Change<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#Should_You_Enforce_Password_Changes\" >Should You Enforce Password Changes?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#The_chage_Command\" >The chage Command<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-force-users-to-change-their-passwords-on-linux\/#Making_Password_Changes_for_Everyone_on_a_Network\" >Making Password Changes for Everyone on a Network<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Force Users to Change Their Passwords on Linux&#8221;<\/strong><\/p>\n<div>\n<figure id=\"attachment_697797\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-697797 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/failed-password-login.jpg\" alt=\"A &quot;failed password&quot; message from sshd.\" width=\"650\" height=\"300\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/logging-string-failed-password-root-on-752132047\" data-credittext=\"Ilya Titchev\/Shutterstock\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/logging-string-failed-password-root-on-752132047\">Ilya Titchev\/Shutterstock<\/a><\/span><\/figcaption><\/figure>\n<p>Passwords are the keystone to account security. We\u2019ll show you how to reset passwords, set password expiration periods, and enforce password changes on your Linux network.<\/p>\n<h3 id=\"the-password-is-nearly-60\"><span class=\"ez-toc-section\" id=\"The_Password_Has_Been_Around_for_Nearly_60_Years\"><\/span>The Password Has Been Around for Nearly 60 Years<br \/>\n<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>We\u2019ve been proving to computers that we are who we say we are since the mid-1960s, when the password was first introduced. Necessity being the mother of invention, the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Compatible_Time-Sharing_System\">Compatible Time-Sharing System<\/a>\u00a0developed at the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Massachusetts_Institute_of_Technology\">Massachusetts Institute of Technology<\/a>\u00a0needed a way to identify different people on the system. It also needed to prevent people from seeing each other\u2019s files.<\/p>\n<p><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Fernando_J._Corbat%C3%B3\">Fernando J. Corbat\u00f3<\/a>\u00a0proposed a scheme that allocated a unique username to each person. To prove someone was who they said they were, they had to use a private, personal password to access their account.<\/p>\n<p>The trouble with passwords is they operate just like a key. Anyone who has a key can use it. If someone finds, guesses, or figures out your password, that person can access your account. Until\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Multi-factor_authentication\">multi-factor authentication<\/a>\u00a0is universally available, the password is the only thing keeping unauthorized people (<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Threat_actor\">threat actors<\/a>, in cybersecurity-speak) out of your system.<\/p>\n<p>Remote connections made by a Secure Shell (SSH) can be configured to use SSH keys instead of passwords, and that\u2019s great. However, that\u2019s only one connection method, and it doesn\u2019t cover local logins.<\/p>\n<p>Clearly, the management of passwords is vital, as is the management of the people who are using those passwords.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How to Create and Install SSH Keys From the Linux Shell<\/em><\/strong><\/p>\n<h3 id=\"the-anatomy-of-a-password\"><span class=\"ez-toc-section\" id=\"The_Anatomy_of_a_Password\"><\/span>The Anatomy of a Password<br \/>\n<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>What makes a password good, anyway? Well, a good password should have all the following attributes:<\/p>\n<ul>\n<li>It\u2019s impossible to guess or figure out.<\/li>\n<li>You haven\u2019t used it anywhere else.<\/li>\n<li>It hasn\u2019t have been involved in a\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.cloudsavvyit.com\/5808\/how-to-check-if-staff-emails-are-in-data-breaches\/\">data breach<\/a>.<\/li>\n<\/ul>\n<p>The\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/haveibeenpwned.com\/\">Have I Been Pwned<\/a>\u00a0(HIBP) website contains over 10 billion sets of breached credentials. With figures that high, chances are someone else has used the same password you are. This means your password might be in the database, even though it wasn\u2019t your account that was breached.<\/p>\n<p>If your password is on the HIBP website, this means it\u2019s on the lists of passwords threat actors\u2019\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.cloudsavvyit.com\/7132\/how-to-protect-your-organization-against-password-dictionary-attacks\/\">brute-force and dictionary attack<\/a>\u00a0tools use when they\u2019re trying to crack an account.<\/p>\n<p>A truly random password (like 4HW@HpJDBr%*Wt@#b~aP) is practically invulnerable, but, of course, you\u2019d never remember it. We highly recommend you use a password manager for online accounts. They generate complex, random passwords for all your online accounts, and you don\u2019t have to remember them\u2014the password manager supplies the correct password for you.<\/p>\n<p>For local accounts, each person has to generate his or her own password. They\u2019ll also need to know what is an acceptable password and what isn\u2019t. They\u2019ll have to be told not to reuse passwords on other accounts, and so on.<\/p>\n<p>This information is usually in an organization\u2019s Password Policy. It instructs people to use a minimum number of characters, mix upper- and lowercase letters, include symbols and punctuation, and so on.<\/p>\n<p>However, according to\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/www.andrew.cmu.edu\/user\/nicolasc\/publications\/Tan-CCS20.pdf\">a brand-new pape<\/a>r from a team at\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.cmu.edu\/\">Carnegie Mellon University<\/a>, all of these tricks add little or nothing to the robustness of a password. Researchers found that the two key factors for password robustness are that they\u2019re at least 12 characters long and sufficiently strong. They measured password strength using a number of software cracker programs, statistical techniques, and neural networks.<\/p>\n<p>A 12-character minimum might sound daunting at first. However, don\u2019t think in terms of a password, but rather, a passphrase\u00a0of three or four unrelated words separated by punctuation.<\/p>\n<p>For example, the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.experte.com\/password-check\">Experte Password Checker<\/a>\u00a0said it would take 42 minutes to crack \u201cchicago99,\u201d\u00a0but 400 billion years to crack \u201cchimney.purple.bag.\u201d It\u2019s also easy to remember and type, and contains only 18 characters.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Why You Should Use a Password Manager, and How to Get Started<\/em><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Reviewing_Current_Settings\"><\/span>Reviewing Current Settings<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before you go changing anything to do with a person\u2019s password, it\u2019s prudent to have a look at their current settings. With the <code>passwd<\/code> command, you can\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/man7.org\/linux\/man-pages\/man1\/passwd.1.html\">review their current settings<\/a>\u00a0with its <code>-S<\/code> (status) option. Note that you\u2019ll also have to use <code>sudo<\/code> with <code>passwd<\/code> if you\u2019re working with someone else\u2019s password settings.<\/p>\n<p>We type the following:<\/p>\n<pre>sudo passwd -S mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697504 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/x1-2.png.pagespeed.gp+jp+jw+pj+ws+js+rj+rp+rw+ri+cp+md.ic.rNtIPxO_zr.png\" alt=\"sudo passwd -S mary in a terminal window.\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>A single line of information is printed to the terminal window, as shown below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697505 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/2-3.png\" alt=\"Output from sudo passwd -S mary in a terminal window.\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You see the following pieces of information (from left to right) in that curt response:<\/p>\n<ul>\n<li><strong>The person\u2019s login name.<\/strong><\/li>\n<li><strong>One of the following three possible indicators <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ears here:<\/strong>\n<ul>\n<li><strong>P:<\/strong> Indicates the account has a valid, working password.<\/li>\n<li><strong>L:<\/strong> Means the account has been locked by the owner of the root account.<\/li>\n<li><strong>NP:<\/strong>\u00a0A password hasn\u2019t been set.<\/li>\n<\/ul>\n<\/li>\n<li><strong>The date the password was last changed.<\/strong><\/li>\n<li><strong>Minimum password age:<\/strong> The minimum period of time (in days) that must elapse between password resets performed by the owner of the account. The owner of the root account, however, can always change anyone\u2019s password. If this value is 0 (zero), there isn\u2019t a restriction on the frequency of password changes.<\/li>\n<li><strong>Maximum password age:<\/strong> The owner of the account is prompted to change his or her password when it reaches this age. This value is given in days, so a value of 99,999 means the password never expires.<\/li>\n<li><strong>Password change warning period:<\/strong> If a maximum password age is enforced, the account owner will receive reminders to change his or her password. The first of these will be sent the number of days shown here before the reset date.<\/li>\n<li><strong>Inactivity period for the password:<\/strong> If someone doesn\u2019t access the system for a period of time that overlaps the password reset deadline, this person\u2019s password won\u2019t be changed. This value indicates how many days the grace period is following a password expiration date. If the account remains inactive this number of days after a password expires, the account is locked. A value of -1 disables the grace period.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Setting_a_Maximum_Password_Age\"><\/span>Setting a Maximum Password Age<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To set a password reset period, you can use the <code>-x<\/code> (maximum days) option with a number of days. You don\u2019t leave a space between the <code>-x<\/code> and the digits, so you would type it as follows:<\/p>\n<pre>sudo passwd -x45 mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697507 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/3-3.png\" alt=\"sudo passwd -x45 mary in a terminal window.\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We\u2019re told the expiry value has been changed, as shown below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697508 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/4-3.png\" alt=\"Notification of the password expiry change in a terminal window.\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Use the <code>-S<\/code> (status) option to check that the value is now 45:<\/p>\n<pre>sudo passwd -S mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697509 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/5-3.png\" alt=\"sudo passwd -S mary in a terminal window.\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Now, in 45 days, a new password must be set for this account. Reminders will commence seven days prior to that. If a new password isn\u2019t set in time, this account will be locked im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Enforcing_an_Immediate_Password_Change\"><\/span>Enforcing an Immediate Password Change<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can also use a command so others on your network will have to change their passwords the next time they log in. To do this, you would use the\u00a0<code>-e<\/code> (expire) option, as follows:<\/p>\n<pre>sudo passwd -e mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697524 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/6-4.png\" alt=\"sudo passwd -e mary in a terminal window.\" width=\"647\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We\u2019re then told the password expiry information has changed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697525 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/x7-3.png.pagespeed.gp+jp+jw+pj+ws+js+rj+rp+rw+ri+cp+md.ic.y77JDAc_Cw.png\" alt=\"Output from sudo passwd -e mary in a terminal window.\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Let\u2019s check with the <code>-S<\/code> option and see what\u2019s happened:<\/p>\n<pre>sudo passwd -S mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697526 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/8-3.png\" alt=\"sudo passwd -S mary in a terminal window.\" width=\"646\" height=\"97\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The date of the last password change is set to the first day of 1970. The next time this person tries to log in, he or she will have to change their password. They must also provide their current password before they can type a new one.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697527 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/9-3.png\" alt=\"The Password Reset screen.\" width=\"391\" height=\"327\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Should_You_Enforce_Password_Changes\"><\/span>Should You Enforce Password Changes?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Forcing people to change their passwords regularly used to be common sense. It was one of the routine security steps for most installations and considered a good business practice.<\/p>\n<p>The thinking now is the polar opposite. In the U.K., the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/\">National Cyber Security Centre<\/a>\u00a0strongly advises <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/blog-post\/problems-forcing-regular-password-expiry\">against enforcing regular password renewals<\/a>, and the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.nist.gov\/\">National Institute of Standards and Technology<\/a>\u00a0in the U.S. agrees. Both organizations recommend enforcing a password change only if you know or suspect an existing one is <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-63b.pdf\">known by others<\/a>.<\/p>\n<p>Forcing people to change their passwords becomes monotonous and encourages weak passwords. People usually start reusing a base password with a date or other number tagged onto it. Or, they\u2019ll write them down because they have to change them so often, they can\u2019t remember them.<\/p>\n<p>The two organizations we mentioned above recommend the following guidelines for password security:<\/p>\n<ul>\n<li><strong>Use a password manager:<\/strong>\u00a0For both online and local accounts.<\/li>\n<li><strong>Turn on two-factor authentication:<\/strong>\u00a0Wherever this is an option, use it.<\/li>\n<li><strong>Use a strong passphrase:<\/strong>\u00a0An excellent alternative for those accounts that won\u2019t work with a password manager. Three or more words separated by punctuation or symbols is a good template to follow.<\/li>\n<li><strong>Never reuse a password:<\/strong>\u00a0Avoid using the same password you use for another account, and definitely don\u2019t use one listed on\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/haveibeenpwned.com\/\">Have I Been Pwned<\/a>.<\/li>\n<\/ul>\n<p>The tips above will allow you to establish a secure means to access your accounts. Once you have these guidelines in place, stick with them. Why change your password if it\u2019s strong and secure? If it falls into the wrong hands\u2014or you suspect that it has\u2014you can change it then.<\/p>\n<p>Sometimes, this decision is out of your hands, though. If the powers that be enforce password changes, you don\u2019t have much choice. You can plead your case and make your position known, but unless you\u2019re the boss, you\u2019ll have to follow company policy.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>Should You Change Your Passwords Regularly?<\/em><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_chage_Command\"><\/span>The chage Command<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You can use <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/man7.org\/linux\/man-pages\/man1\/chage.1.html\">the <code>chage<\/code> command<\/a> to change the settings regarding password aging. This command gets its name from \u201cchange aging.\u201d\u00a0It\u2019s like the <code>passwd<\/code> command with the password-creation elements removed.<\/p>\n<p>The <code>-l<\/code> (list) option presents the same information as the\u00a0<code>passwd -S<\/code>\u00a0command, but in a more friendly fashion.<\/p>\n<p>We type the following:<\/p>\n<pre>sudo chage -l eric<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697548 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/17-1.png\" alt=\"sudo chage -l eric in a terminal window.\" width=\"646\" height=\"212\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Another neat touch is you can set an account expiration date using the\u00a0<code>-E<\/code> (expiry) option. We\u2019ll pass a date (in the year-month-date format) to set an expiration date of Nov. 30, 2020. On that date, the account will be locked.<\/p>\n<p>We type the following:<\/p>\n<pre>sudo chage eric -E 2020-11-30<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697549 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/18-1.png\" alt=\"sudo chage eric -E 2020-11-30 in a terminal window.\" width=\"646\" height=\"58\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Next, we type the following to make sure this change has been done:<\/p>\n<pre>sudo chage -l eric<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697552 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/19-1.png\" alt=\"sudo change -l eric in a terminal window.\" width=\"644\" height=\"210\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We see the account expiration date has changed from \u201cnever\u201d to Nov. 30, 2020.<\/p>\n<p>To set a password expiration period, you can use the <code>-M<\/code> (maximum days) option, along with the maximum number of days a password can used before it must be changed.<\/p>\n<p>We type the following:<\/p>\n<pre>sudo chage -M 45 mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697561 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/20.png\" alt=\"sudo change -M 45 mary in a terminal window.\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We type the following, using the <code>-l<\/code> (list) option, to see the effect of our command:<\/p>\n<pre>sudo chage -l mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697564 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/23.png\" alt=\"sudo change -l mary in a terminal window.\" width=\"646\" height=\"212\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The password expiration date is now set to 45 days from the date we set it, which, as we\u2019re shown, will be Dec. 8, 2020.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Making_Password_Changes_for_Everyone_on_a_Network\"><\/span>Making Password Changes for Everyone on a Network<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When accounts are created, a set of default values are used for passwords. You can define what the defaults are for the minimum, maximum, and warning days. These are then held in a file called \u201c\/etc\/login.defs.\u201d<\/p>\n<p>You can type the following to open this file in <code>gedit<\/code>:<\/p>\n<pre>sudo gedit \/etc\/login.defs<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-697554\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/10-2.png\" alt=\" in a terminal window in a terminal window\" width=\"644\" height=\"55\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Scroll to the password aging controls.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697555 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/11-4.png\" alt=\"The password aging controls in the gedit editor.\" width=\"646\" height=\"237\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You can edit these to suit your requirements, save your changes, and then close the editor. The next time you create a user account, these default values will be applied.<\/p>\n<p>If you want to change all the password expiration dates for existing user accounts, you can easily do so with a script. Just type the following to open the <code>gedit<\/code>\u00a0editor and create a file called \u201cpassword-date.sh\u201d:<\/p>\n<pre>sudo gedit password-date.sh<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697565 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/12-2.png\" alt=\"sudo gedit password-date.sh in a terminal window.\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Next, copy the following text into your editor, save the file, and then close\u00a0<code>gedit<\/code>:<\/p>\n<pre>#!\/bin\/bash&#13;\n&#13;\nreset_days=28&#13;\n&#13;\nfor username in $(ls \/home)&#13;\ndo&#13;\n  sudo chage $username -M $reset_days&#13;\n  echo $username password expiry changed to $reset_days&#13;\ndone<\/pre>\n<p>This will change the maximum number of days for each user account to 28, and therefore, the password reset frequency. You can adjust the value of the <code>reset_days<\/code> variable to suit.<\/p>\n<p>First, we type the following to make our script executable:<\/p>\n<pre>chmod +x password-date.sh<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697567 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/13-1.png\" alt=\"chmod +x password-date.sh in a terminal window.\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Now, we can type the following to run our script:<\/p>\n<pre>sudo .\/password-date.sh<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697568 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/14-2.png\" alt=\"sudo .\/password-date.sh in a terminal window.\" width=\"646\" height=\"57\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Each account is then processed, as shown below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697569 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/21-1.png\" alt=\"Four user accounts with password expiry values changed to 28 in a terminal window.\" width=\"646\" height=\"147\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>We type the following to check the account for \u201cmary\u201d:<\/p>\n<pre>sudo change -l mary<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-697570 size-full\" src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2020\/10\/22.png\" alt=\"sudo chage -l mary in a terminal window.\" width=\"646\" height=\"212\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The maximum days\u2019 value has been set to 28, and we\u2019re told that will fall on Nov. 21, 2020. You can also easily modify the script and add more <code>chage<\/code> or <code>passwd<\/code> commands.<\/p>\n<hr\/>\n<p>Password management is something that must be taken seriously. Now, you have the tools you need to take control.<\/p>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/697153\/how-to-force-users-to-change-their-passwords-on-linux\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Force Users to Change Their Passwords on Linux&#8221; Ilya Titchev\/Shutterstock Passwords are the keystone to account security. We\u2019ll show you how to reset passwords, set password expiration periods, and enforce password changes on your Linux network. The Password Has Been Around for Nearly 60 Years We\u2019ve been proving to computers that we are&#8230;<\/p>\n","protected":false},"author":1,"featured_media":104702,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/thumbcache\/2\/200\/bf4b93ebd38d5228370f1e20e54033b0\/wp-content\/uploads\/2020\/10\/failed-password-login.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-104701","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/104701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=104701"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/104701\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/104702"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=104701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=104701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=104701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}