How to Force Users to Change Their Passwords on Linux

Ilya Titchev / Shutterstock

Passwords are the backbone of account security. We’ll show you how to reset passwords, set password expiration periods, and apply password changes on your Linux network.

The password has been around for almost 60 years

We’ve been proving to computers that we are what we say we are since the mid-1960s, when the password was first introduced. Necessity being the mother of invention, Compatible timeshare system developed at the Massachusetts Institute of Technology needed a way to identify different people on the system. It was also necessary to prevent users from seeing other people’s files.

Fernando J. Corbató proposed a scheme that assigns a unique username to each person. To prove that someone was who they claimed to be, he had to use a private, personal password to access his account.

The problem with passwords is that they work like a key. Anyone with a key can use it. If someone finds, guesses, or calculates your password, that person can access your account. Until multi-factor authentication is universally available, the password is the only thing that prevents unauthorized people (threat actors, in cybersecurity-talk) of your system.

Remote connections made by a Secure Shell (SSH) can be configured to use SSH keys instead of passwords, and that’s fine. However, this is only one connection method and does not cover local connections.

Obviously, managing passwords is vital, as is managing who is using those passwords.

RELATED: How to create and install SSH keys from Linux shell

The anatomy of a password

What makes a good password anyway? Well, a good password should have all of the following attributes:

It is impossible to guess or understand.
You haven’t used it anywhere else.
He was not involved in a data breach.

the Have i been pwned The website (HIBP) contains more than 10 billion sets of violated credentials. With numbers this high, it’s likely that someone else used the same password as you. This means that your password may be in the database, even though it was not your account that was breached.

If your password is on the HIBP website, it means it is on the list of password threat authors. ” brute force and dictionary attack tools used when trying to hack an account.

A truly random password (like 4HW @ HpJDBr% * Wt @ # b ~ aP) is practically invulnerable, but, of course, you’ll never remember it. We strongly recommend that you use a password manager for online accounts. They generate complex, random passwords for all your online accounts, and you don’t have to remember them – the password manager provides you with the correct password.

For local accounts, each person must generate their own password. They will also need to know what an acceptable password is and what is not. They should be told not to reuse passwords on other accounts, etc.

This information is typically found in an organization’s password policy. It asks people to use a minimum number of characters, mix uppercase and lowercase letters, include symbols and punctuation marks, etc.

However, according to a brand new poper from a team to Carnegie Mellon University, all of these tips add little or nothing to the strength of a password. Researchers have found that the two key factors in password strength are that they are at least 12 characters long and strong enough. They measured the strength of the password using a number of hacking software, statistical techniques, and neural networks.

A minimum of 12 characters can seem intimidating at first. However, don’t think in terms of a password, but rather in terms of a passphrase of three or four independent words separated by punctuation marks.

For example, the Expert Password Checker said it would take 42 minutes to break “chicago99”, but 400 billion years to break “chimney.purple.bag”. It is also easy to memorize and type, and only contains 18 characters.

RELATED: Why use a password manager and how to get started

Checking the current settings

Before changing anything related to a person’s password, it is prudent to review their current settings. With the passwd command, you can review their current settings with its -S (status) option. Note that you will also need to use sudo with passwd if you are working with someone else’s password settings.

We type the following:

sudo passwd -S mary

sudo passwd -S mary in a terminal window.

A single line of information is printed in the terminal window, as shown below.

Exit sudo passwd -S mary in a terminal window.

You see the following information (left to right) in this short answer:

The person’s login name.
One of the following three possible indicators appears here:
P: Indicates that the account has a valid and functional password.
L: Means the account has been locked out by the owner of the root account.
NP: No password has been set.

Date of the last password change.
Minimum password age: The minimum period (in days) that must elapse between password resets performed by the account owner. However, the owner of the root account can still change anyone’s password. If this value is 0 (zero), there is no restriction on the frequency of password changes.
Maximum password age: The account owner is prompted to change their password when they reach this age. This value is given in days, so a value of 99,999 means the password never expires.
Password change warning period: If a maximum password age is enforced, the account owner will receive reminders to change their password. The first of these will be sent the number of days specified here before the reset date.
Password inactivity period: If someone does not access the system for a period that overlaps the password reset deadline, that person’s password will not be changed. This value indicates the number of days in the grace period after a password expiration date. If the account remains inactive for that number of days after a password expires, the account is locked out. A value of -1 disables the grace period.

Setting the maximum password age

To set a password reset period, you can use the -x (maximum days) option with a number of days. You don’t leave a space between -x and the digits, so you must enter it as follows:

sudo passwd -x45 mary

sudo passwd -x45 mary in a terminal window.

We are told that the expiration value has been changed as shown below.

Notification of password expiration change in terminal window.

Use the -S (status) option to verify that the value is now 45:

sudo passwd -S mary

sudo passwd -S mary in a terminal window.

Now in 45 days, a new password must be set for this account. The recalls will start seven days before that. If a new password is not set in time, this account will be immediately locked out.

Apply an immediate password change

You can also use a command so that other users on your network will have to change their passwords the next time they log on. To do this, you would use the -e (expire) option, as follows:

sudo passwd -e mary

sudo passwd -e mary in a terminal window.

We are then told that the password expiration information has changed.

Output of sudo passwd -e mary in a terminal window.

Let’s check with the -S option and see what happened:

sudo passwd -S mary

sudo passwd -S mary in a terminal window.

The date of the last password change is the first day of 1970. The next time this person tries to log in, they will need to change their password. They must also provide their current password before they can enter a new one.

The password reset screen.

Should you apply password changes?

Forcing people to change their passwords regularly was common sense. This was one of the routine safety steps for most installations and considered good business practice.

Thought is now the polar opposite. In the United Kingdom, the National cybersecurity center strongly advise against the regular renewal of passwords, and the National Institute of Standards and Technology in the United States agrees. Both organizations recommend applying a password change only if you know or suspect that a known to others.

Forcing people to change their passwords becomes monotonous and encourages weak passwords. People usually start to reuse a basic password with a date or other number stamped on it. Or, they’ll write them down because they have to change them so often that they can’t remember.

The two organizations we mentioned above recommend the following guidelines for password security:

Use a password manager: For online and local accounts.
Enable two-factor authentication: Wherever it is an option, use it.
Use a strong passphrase: A great alternative for accounts that don’t work with a password manager. Three or more words separated by punctuation marks or symbols are a good pattern to follow.
Never reuse a password: Avoid using the same password that you use for another account and definitely do not use the one listed on Have i been pwned.

The tips above will help you set up a secure way to access your accounts. Once these guidelines are in place, stick to them. Why change your password if it is solid and secure? If it falls into the wrong hands – or if you think it does – then you can change it.

Sometimes that decision is not in your hands. If the powers that enforce the password change, you don’t have much choice. You can make your case and make your position known, but unless you are the boss, you will have to follow company policy.

RELATED: Should you change your passwords regularly?

The chage command

You can use the chage command to modify the parameters concerning the aging of the password. This command takes its name from “modify aging”. It is like the passwd command with the password creation elements removed.

The -l (list) option presents the same information as the passwd -S command, but in a more user-friendly way.

We type the following:

sudo chage -l eric

sudo chage -l eric in a terminal window.

Another cool touch is that you can set an account expiration date using the -E (expiration) option. We will pass a date (in year-month-date format) to set an expiration date for November 30, 2020. On that date, the account will be locked.

We type the following:

sudo chage eric -E 2020-11-30

sudo chage eric -E 2020-11-30 in a terminal window.

Then we type the following to make sure this change has been made:

sudo chage -l eric

sudo changes -l eric in a terminal window.

We see that the account expiration date has changed from “never” to November 30, 2020.

To set a password expiration period, you can use the -M (maximum days) option, as well as the maximum number of days a password can be used before it needs to be changed.

We type the following:

sudo chage -M 45 mary

sudo change -M 45 mary in a terminal window.

We type the following, using the -l (list) option, to see the effect of our command:

sudo chage -l mary

sudo change -l mary in a terminal window.

The password expiration date is now set at 45 days from the date we set it, which as we have stated will be December 8, 2020.

Changing the password for everyone on a network

When creating accounts, a set of default values ​​is used for passwords. You can set the default values ​​for the minimum, maximum, and warning days. These are then kept in a file called “/etc/login.defs”.

You can type the following to open this file in gedit:

sudo gedit /etc/login.defs

    in a terminal window in a terminal window

Scroll down to the password aging controls.

Password aging checks in the gedit editor.

You can edit them as needed, save your changes, and then close the editor. The next time you create a user account, these defaults will be applied.

If you want to change all password expiration dates for existing user accounts, you can easily do that with a script. Simply type the following to open the gedit editor and create a file called “password-date.sh”:

sudo gedit password-date.sh

sudo gedit password-date.sh in a terminal window.

Then copy the following text into your editor, save the file, then close gedit:

#! / bin / bash

reset_days = 28

for the username in $ (ls / home)
make
sudo chage $ username -M $ reset_days
$ Username echo password expiration changed to $ reset_days
finished

This will change the maximum number of days for each user account to 28, and therefore, how often the password is reset. You can adjust the value of the reset_days variable accordingly.

First, we type the following to make our script executable:

chmod + x password-date.sh

chmod + x password-date.sh in a terminal window.

Now we can type the following to run our script:

sudo ./password-date.sh

sudo ./password-date.sh in a terminal window.

Each account is then processed, as shown below.

Four user accounts with password expiration values ​​changed to 28 in a terminal window.

We type the following to verify the account of “Mary”:

sudo change -l mary

sudo chage -l mary in a terminal window.

The maximum day value has been set at 28, and we’re told it will drop on November 21, 2020. You can also easily edit the script and add more chage or passwd commands.

Managing passwords is something that should be taken seriously. Now you have the tools you need to take control.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.