User management is an important part of Linux administration, so it's essential to know about all the user accounts on a Linux system. Some common user administration tasks are to list users, disable a user account, or create and modify user accounts.

In this guide, we will be focusing on managing user passwords. It's good security practice to force users to change their password every once in a while by setting passwords to expire. In the examples below, you'll see how to reset a user's password, set their password to expire (either instantly or in the future), and see the age of a user's password. We'll also see how password changes can be seen in log files, giving us some insight into user's password change history.

In this tutorial you will learn:
  • How to set a user's password to expire
  • How to see the age of a user's password
  • How to see password changes in log files
Password expiration and history information on Linux
Password expiration and history information on Linux
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Any Linux distro
Software N/A
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ - requires given linux commands to be executed as a regular non-privileged user

Set a user's password to expire


SUBSCRIBE TO NEWSLETTER
Subscribe to our NEWSLETTER and receive latest Linux news, jobs, career advice and tutorials.


As the root user, you can set a user's password to expire by executing the passwd -e command. The following example will expire the password for user "linuxconfig". Doing this will prompt the user to change their password the next time they try to login to the system.

$ sudo passwd -e linuxconfig
Forcing a user password to expire with the passwd -e command
Forcing a user password to expire with the passwd -e command

This will force the user to choose a new password. When we try to go back to our old password, you can see the "Password unchanged" error that we receive in the screenshot below.

The error we receive when trying to re-use an old password
The error we receive when trying to re-use an old password

If you don't want the user's password to expire right away (that is, as soon as the command above is executed), then we can use the chage command. Notice this command looks a lot like the word "change," but be aware it's not a typo and it really is chage without the "n."



Add the -M option to your command, and specify the length of time, in days, when a user's password should expire. The following example will make user "linuxconfig" password expire 30 days from now.

$ sudo chage -M 30 linuxconfig

We can also choose a day for the password to expire by using the -E option and specifying the date in a YYYY-MM-DD format. This command will force a user's password to expire on January 15, 2023.

$ sudo chage -E 2023-01-15 linuxconfig

Use the -W option to warn a user that their password will soon expire. For example, this command will warn a user 7 days in advance that their password is going to expire.

$ sudo chage -W 7 linuxconfig

See the age of a user's password

We can once again turn to the chage command when we wish to see information about the age of a user's password. The -l option will list when a user's password was last change, and when their password is set to expire.

$ chage -l linuxconfig
Seeing when the password was last changed and future expiration information
Seeing when the password was last changed and future expiration information

See password changes in log files



Linux logs a lot of data, and password changes are no exception. Debian based systems such as Ubuntu will store password changes in the /var/log/auth.log file, and Red Hat based systems store this information in /var/log/secure. Use the following grep command to take a peek into the appropriate file.

$ grep -R -i passwd /var/log/auth.log
Viewing password changes in the log file
Viewing password changes in the log file

As you can see in the screenshot above, the log shows us when our "linuxconfig" user account had their password set to expire, and it also shows when the user's password was changed.

Closing Thoughts

In this guide, we saw how to manage user account passwords on Linux by forcing a password to expire, setting it to expire in the future, seeing when the password was last changed, and viewing logs to see password changes. These should be all the commands you need to know in order to manage user account passwords and keep your system secure through regularly expiring passwords.

FIND LATEST LINUX JOBS on LinuxCareers.com
Submit your RESUME, create a JOB ALERT.
LINUX CAREER NEWSLETTER
Subscribe to NEWSLETTER and receive latest news, jobs, career advice and tutorials.
DO YOU NEED ADDITIONAL HELP?
Get extra help by visiting our LINUX FORUM or simply use comments below.