How to Manage User Passwords Expiration and Aging on Linux

Manage user password expiration and aging on Linux by following a quick 5 step process. It will not only help maintain a good level of security on your system but will also aid in administering the user accounts more flexibly.

Password verification is a process that starts from the /etc/shadow file. Whenever registers attempt to log in, the system, without wasting any time, looks if an entry for the concerned user exists in the /etc/shadow directory. It also verifies whether the typed password matches the encrypted hash

If everything goes as desired, the login attempt gets successfully concluded; if not, the system displays a failed output. To ensure better security, the password aging feature for user accounts was introduced. The same has a crucial role to play in the verification process.

Although not a tough skill to master, misleading approaches can make the entire thing challenging. For helping you avoid that, the following article brings the most flexible guide on how to manage user password expiration and aging.

Pre Requisites:

Before you learn how to manage user password expiration and aging on Linux, I’d recommend creating a separate user account and employing the changes there. It will help make sure that you get proper exposure to the process even without causing any harm to the existing accounts.

Creating A User Account

To create a user account, you’ll only need to invoke the useradd and the passwd command. But it is crucial; you’ve got sudo privileges for that.

Launch the Terminal using the “Ctrl+Alt+T” key combination

Run the following commands

$ sudo useradd trialuser
create a new user account
$ sudo passwd trialuserpassword
user account password

How to Manage User Password Expiration and Aging on Linux

Are you done creating the trial user account already? If yes, it is time to learn how to manage user password expiration seamlessly and again with no issues whatsoever.

Step 1: Forcing a Password Change Right On First Login

To start managing user password expiration, the first thing to do is force a password change to occur as soon as the initial login is concluded. To do that, use the chage command alongside the -d flag in the following manner:

$ sudo chage -d 0 trialuser
manage user password expiration and aging

When you log in to your system via the created user (trialuser, for instance), the system will prompt and initiate a password change. Get the same updated and log yourself back in.

Step 2: Altering the User Password Policy

The next task is changing the default password policy for the concerned user. Suppose you want the trialuser to have a new password every 30 days, invoke the change command together with the -M option while defining the desired period. 

The command should look something like this:

$ sudo chage -M 30 trialuser
altering password policy in Linux

Verify the Password Policy Status

Verify the update status for the concerned user’s password policy. Run the chage command and use the -l flag with it. Your system will then provide an output displaying details on password expiry.

$ sudo chage -l trialuser
verify updated privacy policy

Step 3: Get the User Account Expiry Terms Sorted

To manage user password expiration and aging, it is crucial to set the desired user account in a manner that goes on expiry only after X number of days is passed. Suppose you want the number of days to be 150. In that case, follow the steps below:

You’ll first need to get the exact time and date from the current situation. For that, invoke the date -d command.


$ date -d "+150 days" +%F

The output will display the exact date. Use it to set the terms.

$ sudo chage -E [Desired Date] trialuser
manage user password expiration and aging

Verify the Updated Expiry Date

Just like what we did for step 2, invoke the $ sudo chage -l command and learn if you’ve successfully updated the expiry date. 

Satisfied with the output? If yes, move to the next step.

Step 4: Get the User Account Locked

Here you’ll learn how to lock and unlock the user account. Locking is an action that helps restrict the concerned user from authenticating any new password on the system. Use the usermod command together with the -L flag for this purpose.

$ sudo usermod -L trialuser
lock user account


Run the $ su -trialuser command. If it responds with a message called Authentication failure, it means that the locking process has been successfully concluded.

Unlocking User Account

You can unlock the previously locked account by invoking the usermod -U command at any point in time. 

Launch the Terminal and then run the following command:

$ sudo usermod -U trialuser

Step 5: Setting Password Policy for Every User

You can do that pretty seamlessly if you want to set the desired password policy for every existing user. However, you’ll require administrative access so that you can bring edits and alter the /etc/login/defs file.

To modify the file, you can use any of your favorite editors, vim, for instance.

$ sudo vim /etc/login/defs
setting password policy

Set the desired password policy while defining the exact number of days by setting the section named PASS_MAX_DAYS. Apart from you can bring desired modifications to other existing parameters. The most common ones associated with password aging include:

PASS_WARN_AGE: It defines the number of days before the system leaves a warning notification about password expiry.

PASS_MIN_DAYS: This section talks about the minimum number of days allowed between consecutive password alterations.

PASS_MIN_LEN: As the name suggests, it defines the minimum acceptable length of the password.

PASS_MAX_DAYS: Maximum number of days after which the user needs to change the password.

With that, you now know how to manage user password expiration and aging on Linux. The guide walks you through five amazing steps that help monitor user password pretty seamlessly.

If this guide helped you, please share it.

Leave a Reply
Related Posts