This tutorial explains password aging policy in Linux step by step. Learn what the password aging policy is and how it is managed through the chage command with practical examples.
What is the password aging policy in Linux?
In order to ensure system and network security, administrators use various security mechanisms. The password aging policy is one of them. It defines the time period for user password and based on that time period it allows administrators to take various actions such as forcing user to change password, displaying warning message to change password, disabling user account, etc.
There are seven settings in password aging policy. These are: -
- Last password change date
- Password expires date
- Password inactive date
- Account expires date
- Minimum number of days between password change
- Maximum number days between password change
- Number of days of warning before password expires
This tutorial is the seventh part of the tutorial “Linux user and group management step by step explained with practical examples”. The other parts of this tutorial are following: -
Types of Users in Linux Explained with Accounts
This tutorial is the first part of the article. It explains what a user account is and how it is managed in the Linux system.
/etc/passwd file in Linux Explained with Examples
This tutorial is the second part of article. It explains the /etc/passwd file and how it is formatted in detail.
/etc/shadow file in Linux Explained with ExamplesThis tutorial is the third part of article. It explains the /etc/shadow file and how it is formatted in detail.
Linux User Management Explained with Examples
This tutorial is the fourth part of the article. It explains how to create users in Linux at command prompt step by step.
Usermod Command in Linux Explained with Examples
This tutorial is the fifth part of the article. It explains how to modify user’s attributes with 15+ practical examples.
Linux Group Management Explained with Examples
This tutorial is sixth part of the article. It explains Linux group management in detail with practical examples.
Let’s understand each setting in detail.
Last password change date
This is the date when user last time changed his password. Dates of next two settings are calculated from this date.
Password expires date
This is the last date till the changed password remains valid. After this date password becomes invalid. This date is calculated from the first setting and the sixth setting.
Password expires date = Last password change date + Maximum number days between password change
Password inactive date
This is the last date to use an expired password. After this date if expired password is not changed, user account will be locked. Just like last three settings, this setting also takes value in day format. But it displays that value in date format.
Password inactive date = Password expires date + Password inactive days
Account expires date
This is the last date till user can use his account. After this date account will be locked automatically. This setting is not based or calculated from other settings. It is defined individually.
Minimum number of days between password change
These are the number of days that must be elapsed before user is allowed to change his password again. These days are calculated from the last password change date.
Maximum number days between password change
These are the number of days till password remains valid. These days are also calculated from the last password change date.
Number of days of warning before password expires
These are the number of days in which user will get warning message to change his password before password expiration. These days are calculated in reverse from the password expiry date.
Let’s take an example to understand how the dates are calculated in password aging policy.
Suppose the values of Minimum number of days between password change, Maximum number of days between password change, Number of days of warning before password expires and password inactive are defined as 2, 20, 5 and 3 respectively.
If user changes his password on 1 January then: -
- He can’t change his password again till 3 January.
- He can use selected password till 20 January.
- Starting from 15 January, he will get a warning message to change password at login.
- If he doesn’t change his password till 20 January, his password will expire.
- Starting from 21 January, he will be able to login with expired password but he will not be able to perform any task except changing password. In simple term, he will be forced to change his password just after the login.
- If he doesn’t change his password till 23 January, on 24 January his account will be locked.
- A locked account can be unlocked only by the system administrator.
Now suppose user changes his password on 20 January then all dates will reset as following.
- Last password change date: - 20 January.
- Password expiration date: - 9 February (20 January + 20 days).
- Starting date of warning message for password change: - 4 February (9 February – 5 days)
- Password inactive or account lock date: - 12 February (9 February + 3 days)
Following table lists the default value of password aging settings.
| Setting | Default value |
| Last password change date | User creation date |
| Password expiry date | Never |
| Password inactive date | Never |
| Account expiry date | Never |
| Minimum number of days between password change | 0 day |
| Maximum number of days between password change | 99999 days |
| Number of days of warning before password expires | 7 days |
Values of Minimum number of days between password change, Maximum number of days between password change and Number of days of warning before password expires are stored in file /etc/login.defs.
Besides password aging policy, this file also stores the default values of several other parameters. When a new user account is created without providing necessary options, this file is used to assign the default values of those options.
Following figure shows the default values of password aging policy stored in file /etc/login.defs.
In password aging section there is one more control PASS_MIN_LEN. It is used to define the length of password. For example if we set it to 8, minimum acceptable password length will become 8 characters. After this user will be forced to select the password which contains minimum 8 characters or more in length. Since this option is not directly related with password aging, I will explain it separately in next part of this tutorial.
Listing password aging settings
The chage command with –l option is used to list the current settings of password aging policy.
Let’s create a test user account with default options.
#useradd jack #passwd jack
Now list its password aging settings.
#chage –l jack
Since we didn’t change any password aging settings for this user, all above setting are populated and calculated from the default settings.
Changing default password aging options for new users
If require, you can customize the password aging policy options stored in file /etc/login.defs. To customize these options, take the backup of original file and open it with your favorite text editor. Now update the options are per your requirement and save the file.
Let’s create one more user account and check its password aging options.
Any change made in file /etc/login.defs applies only on those user accounts which will be created after the change. This file only defines the main options of password aging policy. To change password aging policy for existing user or update all settings, the chage command is used.
Managing password aging policy with chage command
The chage command provides two ways to update the password aging options: -
- update all settings through interactive prompt
- update individual setting through command line option
Let’s understand both options in detail.
Updating all settings through interactive prompt
To update all settings through interactive prompt, use following command: -
#chage [username]
If we run chage command without any options and specify only the username, it launches an interactive series of prompts to set the required value for each option of password aging policy. It also displays the current value of each option in bracket. If we specify the new value for any option, the value of that option will be replaced with new value otherwise existing value will remain intact.
Updating individual setting through command line option
To change password aging setting individually following options are used with the chage command.
| option in short version | option in long version | Used to update the setting |
| -d | --lastday | Last password change date |
| -m | --mindays | Minimum number of days between password change |
| -M | --maxdays | Maximum number days between password change |
| -W | --warndays | Number of days of warning before password expires |
| -I | --inactive | Password inactive date |
| -E | --expiredate | Account expires date |
Let’s understand each setting through practical examples.
Updating last password change date
Last password change date is automatically updates when user changes his password. But if require, we can also set this date manually with -d option. For example, following command sets last password change date to 10 December 2018 for user rick.
#chage –d 2018-12-10 rick
Forcing user to change his password at next login
Instead of specifying a date with -d option if we specify a value 0 with this option, user password will expire immediately. At next login user will be forced to change his password. For example, following command sets user rick’s password as expired.
#chage -d 0 rick
Due to any reason if you want to revert above setting, simply set the last password date again with same command.
Changing password inactive days
To change the number of days in which account will be locked if expired password is not changed, use -I option with chage command. For example following command sets these days to 5 for user rick.
#chage –I 5 rick
To reset the password inactive days back to never, specify the value -1 with this option.
Changing password warning days
To set the number of days in which user will get warning message to change his password before password expiration, use –W option with chage command. For example, following command sets warning message days to 5 days before the password expiration for user rick.
#chage –W 5 rick
Changing minimum number of days
To change the number of days which must be elapsed before user is allowed to change his password again, use -m option with chage command. For example, following command sets the minimum number of days between password changes to 5 days for user rick.
#chage –m 5 rick
To reset this value back to default, specify the value 0 with this option.
Changing maximum number of days between password change
To set or update the maximum number of days in which user is allowed to use the password, use -M option with chage command. For example, following command sets maximum number of days between password changes to 60 days for user rick.
#chage –M 60 rick
Changing password expiration to never
The setting “password expires” is directly related with the setting “Maximum number of days between password change”. Once the value in the setting “Maximum number of days between password change”, is changed, password expiry date is automatically calculated from the last password change date and filled in the setting “password expires”.
Since the setting “password expires” is based on the setting “Maximum number of days between password change”, if we restore the default value of the setting “Maximum number of days between password change”, the default value of the setting “password expires” will be restored automatically.
To reset the setting “password expires” back to “never”, set the value of setting “Maximum number of days between password changes” to 99999. For example, following command restores the default values of both settings for user rick.
#chage –M 99999 rick
Changing account expiration date
By default account expiry date is set to never. It means, unless we manually specify the account expiration date while creating user account, it never expires. To set account expiration date or update existing account expiration date, use –E option with chage command. For example, following command will set account expiry date to 10 May 2019 for user rick.
#chage –E 2019-05-10 rick
Turing off account expiration
If you want to turn off or disable account expiration setting again, you can do this by specifying value -1 with –E option. Value -1 is used to set the account expiration date to Never. For example, following command disables the account expiration setting for user rick.
#chage –E -1 rick
That’s all for this part. In next part, we will learn how to perform some advance user management tasks in detail with examples. If you like this tutorial, please don’t forget to share it through your favorite social channel.