Linux Mint – Changing passwords

Installing Apache On CentOS 8

With the Users and Groups tool, changing passwords is easy. In the preceding section, we discussed how to set a password for a user while creating a new account. To change the password for a user, simply go through the process again by clicking on the text next to Password, and then you type in the new password; that’s it!

On the shell, the passwd command allows a user to change their own password. In fact, a user can even change their own password via the GUI by accessing System Settings and then Account Details, so using a terminal command such as passwd isn’t required. However, the passwd command can also allow administrators to change the passwords of other users as well.

Although we’ll discuss sudo in more detail later in this chapter, the sudo command allows you to run a command as an administrator, provided you are a member of the sudo group. If you execute the sudo passwd command, followed by a username, you can change the password for any user you like (even if you don’t know their password). This is very useful for IT administrators to assist those who may have forgotten their password.

Be careful when entering the passwd command with sudo but with no username specified. Doing so will enable the root user account, which may or may not be something you want to do. If you’ve done so and want to disable the root user account once again, execute the following command:

sudo passwd -l root

In addition, you may wish to make passwords expire after a period of time, requiring the user to change it after that time. For this, the chage command is used. With the chage command, you can set a minimum and a maximum age for user passwords. The minimum age is how long until the password can be changed again, and the maximum age is how long until changing the password becomes mandatory. You may be wondering, “Why set a minimum age for a password?” One purpose is due to user behavior. Many users will get accustomed to a particular password. If such a user finds a loophole, they can choose to retain the same password forever; they can and will use it. These types of users may change their password to satisfy the change requirement and then change their password right back to what it was earlier. A minimum password age won’t allow the user to change his or her password right away, thereby forcing them to use a new password for a while. Such a policy won’t completely stop users from reusing passwords, but it makes it less convenient to do so.

In order to set a maximum password age for a user, execute the chage command similar to the following example:

sudo chage -M 90 username

In this example, the -M portion of the preceding command refers to the maximum number of days the password can exist. In the example, 90 days was specified. Therefore, the user will need to change their password in 90 days.

In order to give the user a minimum password age, a command similar to the following example can be used:

sudo chage -m 5 username

Notice that the -M portion of the command discussed earlier changed to a lowercase -m instead. The -m flag specifies the minimum password age. In the preceding example, we set a minimum password age of 5 days. This means that once the user changes his or her password, they’ll be unable to change their password again for the next 5 days.

Keep in mind that a clever user with administrative rights can easily bypass a minimum password age requirement by simply entering the sudo passwd username command line and adding their name as the username value.

If you would like to see what a user’s current password attributes are, execute the following command without making any changes:

sudo chage joeuser -l

After executing the chage -l command, you’ll see all the current values for when a user’s account will expire as well as the minimum password age. In corporate environments, a large majority of users being unable to access their systems is often caused by users ignoring the repeated prompts on their system that informed them that their password was going to expire, and they likely won’t mention this when they ask you for assistance. The chage command should reveal the root of the issue right away.

Comments are closed.