Last updated on July 17, 2020 by Dan Nanni
In multi-user Linux environment, it's a standard practice to create user accounts with some random default password. Then after a successful login, a new user can change the default password to his or her own. For security reasons, it is often recommended to "force" users to change the default password after the first login to make sure that the initial one-time password is no longer used.
Here is how to force a user to change his or her password on the next login.
Every user account in Linux is associated with various password-related configurations and information. For example, it remembers the date of the last password change, the minimum/maximum number of days between password changes, and when to expire the current password, etc.
A command-line tool called
chage can access and adjust password expiration related configurations. You can use this tool to force password change of any user at the next login.
To view password expiration information of a particular user (e.g.,
alice), run the following command. Note that you need root privilege only when you are checking password age information of any other user than yourself.
$ sudo chage -l alice
If you want to force a user to change his or her password, use the following command.
$ sudo chage -d0 <user-name>
Originally the "
-d <N>" option is supposed to set the "age" of a password (in terms of the number of days since January 1st, 1970 when the password was last changed). So
-d0 indicates that the password was changed on January 1st, 1970, which essentially expires the current password, and causes it to be changed on the next login.
Another way to expire the current password is via
$ sudo passwd -e <user-name>
The above command has the same effect of "
chage -d0", making the current password of the user expire immediately.
Now check the password information of the user again, and you will see:
When you log in again, you will be asked to change the password. You will need to verify the current password one more time before the change.
To set more comprehensive password policies (e.g., password complexity, reuse prevention), you can use PAM. See the article for more detail.
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.