*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Linux man pages -> passwd (1)              



NAME    [Toc]    [Back]

       passwd - change user password

SYNOPSIS    [Toc]    [Back]

       passwd [-f|-s] [name]
       passwd [-g] [-r|R] group
       passwd [-x max] [-n min] [-w warn] [-i inact] name
       passwd {-l|-u|-d|-S|-e} name

DESCRIPTION    [Toc]    [Back]

       passwd  changes	passwords  for user and group accounts.  A normal user
       may only change the password for their own account, the super user  may
       change  the password for any account.  The administrator of a group may
       change the password for the group.  passwd also changes account	information,
	such as the full name of the user, their login shell, or password
 expiry dates and intervals.

   Password Changes    [Toc]    [Back]
       The user is first prompted for their old password, if one  is  present.
       This  password  is then encrypted and compared against the stored password.
  The user has only one chance to enter the correct password.  The
       super user is permitted to bypass this step so that forgotten passwords
       may be changed.

       After the password has been  entered,  password	aging  information  is
       checked	to  see  if  the user is permitted to change their password at
       this time.  If not, passwd refuses to change the password and exits.

       The user is then prompted for a replacement password.  This password is
       tested  for  complexity.  As a general guideline, passwords should consist
 of 6 to 8 characters including one or more from each of  following

	    Lower case alphabetics

	    Upper case alphabetics

	    Digits 0 thru 9

	    Punctuation marks

       Care  must  be  taken  not  to include the system default erase or kill
       characters.  passwd will reject any password which is not suitably complex.

       If  the	password is accepted, passwd will prompt again and compare the
       second entry against the first.	Both entries are require to  match  in
       order for the password to be changed.

   Group passwords    [Toc]    [Back]
       When  the  -g  option  is  used,  the  password	for the named group is
       changed.  The user must either be the super user, or a  group  administrator
 for the named group.  The current group password is not prompted
       for.  The -r option is used with the -g option to  remove  the  current
       password  from  the  named group.  This allows group access to all members.
  The -R option is used with the -g option to restrict  the  named
       group for all users.

   Password expiry information    [Toc]    [Back]
       The  password  aging  information may be changed by the super user with
       the -x, -n, -w, and -i options.	The -x option is used to set the maximum
 number of days a password remains valid.  After max days, the password
 is required to be changed.	The -n option is used to set the minimum
 number of days before a password may be changed.  The user will not
       be permitted to change the password until min days have	elapsed.   The
       -w  option  is  used to set the number of days of warning the user will
       receive before their password will expire.   The  warning  occurs  warn
       days  before  the  expiration, telling the user how many days until the
       password is set to expire.  The -i option is used to disable an account
       after the password has been expired for a number of days.  After a user
       account has had an expired password for inact days,  the  user  may  no
       longer sign on to the account.

   Account maintenance    [Toc]    [Back]
       User accounts may be locked and unlocked with the -l and -u flags.  The
       -l option disables an account by changing the password to a value which
       matches	no  possible  encrypted  value.   The  -u option re-enables an
       account by changing the password back to its previous value.

       If you wish to immediately expire an accounts password, you can use the
       -e  option. This in affect can force a user to change their password at
       their next login. You can also use the -d  option  to  delete  a  users
       password  (make	it  empty).  Use caution with this option since it can
       make an account not require a password at all to  login,  leaving  your
       system open to intruders.

       The  account status may be given with the -S option.  The status information
 consists of 6 parts.  The  first	part  indicates  if  the  user
       account	is  locked (L), has no password (NP), or has a usable password
       (P).  The second part gives the date of the last password change.   The
       next  four  parts are the minimum age, maximum age, warning period, and
       inactivity period for the password.

   Hints for user passwords    [Toc]    [Back]
       The security of a password depends upon the strength of the  encryption
       algorithm  and  the  size of the key space.  The UNIX System encryption
       method is based on the NBS DES algorithm and is very secure.  The  size
       of  the	key space depends upon the randomness of the password which is

       The -s option makes passwd call chsh to change the users shell. The  -f
       option  makes  passwd  call chfn to change the users gecos information.
       These two options are only meant for compatiblity, since the other programs
 can be called directly.

       Compromises in password security normally result from careless password
       selection or handling.  For this reason, you should select  a  password
       which  does  not  appear in a dictionary or which must be written down.
       The password should also not be a proper  name,	your  license  number,
       birth  date, or street address.	Any of these may be used as guesses to
       violate system security.

       Your password must easily remembered so that you will not be forced  to
       write  it  on  a piece of paper.  This can be accomplished by appending
       two small words together and separating each with a  special  character
       or digit.  For example, Pass%word.

       Other  methods  of  construction involve selecting an easily remembered
       phrase from literature and selecting the  first	or  last  letter  from
       each.  An example of this is

	    Ask not for whom the bell tolls.

       which produces


       You  may  be  reasonably  sure  few crackers will have included this in
       their dictionary.  You should, however, select  your  own  methods  for
       constructing  passwords	and  not rely exclusively on the methods given

   Notes about group passwords    [Toc]    [Back]
       Group passwords are an inherent security problem since  more  than  one
       person is permitted to know the password.  However, groups are a useful
       tool for permitting co-operation between different users.

CAVEATS    [Toc]    [Back]

       Not all options may be supported.   Password  complexity  checking  may
       vary from site to site.	The user is urged to select as complex a password
 as they feel comfortable with.  User's may not be able  to	change
       their  password	on  a system if NIS is enabled and they are not logged
       into the NIS server.

FILES    [Toc]    [Back]

       /etc/passwd - user account information
       /etc/shadow - encrypted user passwords

SEE ALSO    [Toc]    [Back]

       group(5), passwd(5)

AUTHOR    [Toc]    [Back]

       Julianne Frances Haugh (jfh@austin.ibm.com)

[ Back ]
 Similar pages
Name OS Title
skeyinit OpenBSD change password or add user to S/Key authentication system
chage Linux change user password expiry information
passwd IRIX change login password and password attributes
yppasswd Tru64 Update user password in Network Information Service (NIS) password map.
nispasswd HP-UX change NIS+ password information
yppasswd Linux change your password in the NIS database
smbpasswd.8 IRIX change a user's SMB password
yppasswd IRIX change NIS login password
dpasswd Linux change dialup password
login_chpass OpenBSD change password authentication type
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service