Users and Passwords in Linux

Before you start

Objectives: Learn how to set or change passwords for users on Linux machines.

Prerequisites: no prerequisites.

Key terms: passwd, Linux, administration, reset, set, management


 Working With Passwords

Today, we won’t see passwords in the /etc/passwd file any more. Instead, they are moved to the /etc/shadow password file, where they are encrypted. By default, shadow passwords are enabled during installation, however we control use of shadow passwords after installation using the following commands:

  • pwconv – use /etc/shadow instead of /etc/passwd
  • grpconv – use the /etc/gshadow file for groups
  • pwunconv – stop using shadow passwords (use /etc/passwd instead of /etc/shadow)
  • grpunconv – stop using the group shadow file

An “x” in the password field of /etc/passwd indicates that shadow passwords are used.

passwd Command

With the passwd command we can set passwords, disable accounts, configure password expiration times, etc. Whenever we set a new password, we should use a complex password. Complex passwords have at least eight characters, contain a mix of lower case and upper case letters and numbers, and do not contain recognizable patterns (such as words or the user account name). Linux automatically enforces complex passwords, however, as the root user we can set a password that does not meet these complexity requirements.

  • passwd name – assign or change the password for a user. We’ll be prompted to enter the password. For example, if we enter “passwd cicnavi“, this will change the password for the cicnavi account. If we want to change the password for current user, we simply enter “passwd“.
  • passwd -d name – remove the password from an account. For example, “passwd -d cicnavi” removes the password from the cicnavi account.
  • passwd -x # name – set the number of days a password can be used (password expiration time). For example, “passwd -x 30 cicnavi“requires cicnavi to change his password every 30 days.
  • passwd -n # name – set the minimum number of days a password exists before it can be changed. For example, “passwd -n 5 cicnavi” means that cicnavi cannot change his password for 5 days following the most recent change.
  • passwd -w # name – set the number of days before the password expires that the user is warned. For example, “passwd -w 2 cicnavi” means that cicnavi will be warned 2 days before his password expires.
  • passwd -i # name – set the number of days following the password expiration that the account will be disabled. For example, “passwd -i 7 cicnavi” will disable the cicnavi account after 7 days if the password is not changed.
  • usermod -L name or passwd -l name – disable (lock) an account. These commands insert a ! before the password, effectively disabling the account. For example, “passwd -l cicnavi” locks the cicnavi account.
  • usermod -U name or passwd -u name – enable (unlock) an account. For example, “passwd -u cicnavi” unlocks the cicnavi account.

Note that if we see “!” for the first character in the password field for a user account, it means that the account is disabled.  Also, any single-character entry in the password field means the account is disabled and no password is set.