How to Enforce Password Expiry Policies in Linux

Posted on

We recently looked at how to enforce password requirements in CentOS. That article dealt with the specifics of the password itself – number of digits, capital letters, special characters, password credits etc etc. But password security is an ongoing affair. Creating one password and letting it remain throughout is generally frowned upon. Moreover, you want to give users a chance to create their own passwords instead of using the one you provide.

So in this article, we’ll look at three things:

  1. How to make users change their password immediately (either on login or at another time);
  2. How to enforce a “Password Expiry” time limit for an individual user;
  3. How to enforce a “global” password expiry variable for ALL users.

So let’s get started.

Immediate Password Change

After you create an account on a Linux server, you make a default temporary password that you send to them via chat or e-mail. It’s a good idea to force these users to create their own password immediately after they login. This way, the password you sent to them won’t be lying around in plain text format in an e-mail. Or at least, you divest yourself of the responsibility. No one in your staff can read the e-mail and have access.

To do this, we simply “expire” the password as soon as we create it. The command for this is:

passwd -e [username]

Replace [username] with the relevant username. This immediately expires the password and forces the user to change it as soon as they login.

Here’s a screenshot of a first login as an example:

You can see that the user can log in as usual. But when that happens, the system forces them to select a new password. This goes well with account creation. Just use this command as soon as a new account/password combination is generated, and everyone will be forced to change their password when they log in for the first time.

Configuring Password Expiry for an Individual User

The next step is implementing password ageing. This means that a password expires after a certain number of days and the user is forced to change it immediately after. To do this for an individual user, use the command:

passwd -x90 [username]

As before, replace [username] with the user’s name. Also, change the number in bold to reflect the number of days after which the password needs to expire. In this example, I’ve chosen 90 days. To see the changes in effect, you can use the “-S” parameter like this:

passwd -S [username]

This gives the following output:

The third number from the right of the “passwd -S” command is the number of days for the password expiry. Use this tool to configure unique password expiry dates for individual users instead of a policy as a whole.

Creating a Global Password Expiry Ageing Policy

The above step is for single users. To enforce a password ageing policy for the entire system, we need to change a line in the following file:


Inside this file, is a parameter called PASS_MAX_DAYS. By changing it, you can affect the password expiry policies of all users created with the “useradd” function. Here’s what the parameter looks like inside the file:

In this example, I’ve set the password expiry for 90 days. Since it’s done via a variable in the /etc/login.defs file, it’s a global property. In the following screenshot, I’ve created a new user and password and used the “passwd -S” command to check the password expiry:

As you can see, all new user accounts have their password ageing policy set according to the above file. This way, you have complete control over the password expiry dates of all your users – both on a global as well as an individual basis.

Leave a Reply

Your email address will not be published. Required fields are marked *