Password aging policy Explained with chage command

This tutorial explains password aging policy in Linux step by step. Learn what the password aging policy is and how it is managed through the chage command with practical examples.

What is the password aging policy in Linux?

In order to ensure system and network security, administrators use various security mechanisms. The password aging policy is one of them. It defines the time period for user password and based on that time period it allows administrators to take various actions such as forcing user to change password, displaying warning message to change password, disabling user account, etc.

There are seven settings in password aging policy. These are: -

  1. Last password change date
  2. Password expires date
  3. Password inactive date
  4. Account expires date
  5. Minimum number of days between password change
  6. Maximum number days between password change
  7. Number of days of warning before password expires

This tutorial is the seventh part of the tutorial “Linux user and group management step by step explained with practical examples”. The other parts of this tutorial are following: -

Types of Users in Linux Explained with Accounts

This tutorial is the first part of the article. It explains what a user account is and how it is managed in the Linux system.

/etc/passwd file in Linux Explained with Examples

This tutorial is the second part of article. It explains the /etc/passwd file and how it is formatted in detail.

/etc/shadow file in Linux Explained with Examples

This tutorial is the third part of article. It explains the /etc/shadow file and how it is formatted in detail.

Linux User Management Explained with Examples

This tutorial is the fourth part of the article. It explains how to create users in Linux at command prompt step by step.

Usermod Command in Linux Explained with Examples

This tutorial is the fifth part of the article. It explains how to modify user’s attributes with 15+ practical examples.

Linux Group Management Explained with Examples

This tutorial is sixth part of the article. It explains Linux group management in detail with practical examples.

Let’s understand each setting in detail.

Last password change date

This is the date when user last time changed his password. Dates of next two settings are calculated from this date.

Password expires date

This is the last date till the changed password remains valid. After this date password becomes invalid. This date is calculated from the first setting and the sixth setting.

Password expires date = Last password change date + Maximum number days between password change
Password inactive date

This is the last date to use an expired password. After this date if expired password is not changed, user account will be locked. Just like last three settings, this setting also takes value in day format. But it displays that value in date format.

Password inactive date = Password expires date + Password inactive days
Account expires date

This is the last date till user can use his account. After this date account will be locked automatically. This setting is not based or calculated from other settings. It is defined individually.

Minimum number of days between password change

These are the number of days that must be elapsed before user is allowed to change his password again. These days are calculated from the last password change date.

Maximum number days between password change

These are the number of days till password remains valid. These days are also calculated from the last password change date.

Number of days of warning before password expires

These are the number of days in which user will get warning message to change his password before password expiration. These days are calculated in reverse from the password expiry date.

password aging policy explained

Let’s take an example to understand how the dates are calculated in password aging policy.

Suppose the values of Minimum number of days between password change, Maximum number of days between password change, Number of days of warning before password expires and password inactive are defined as 2, 20, 5 and 3 respectively.

If user changes his password on 1 January then: -

  • He can’t change his password again till 3 January.
  • He can use selected password till 20 January.
  • Starting from 15 January, he will get a warning message to change password at login.
  • If he doesn’t change his password till 20 January, his password will expire.
  • Starting from 21 January, he will be able to login with expired password but he will not be able to perform any task except changing password. In simple term, he will be forced to change his password just after the login.
  • If he doesn’t change his password till 23 January, on 24 January his account will be locked.
  • A locked account can be unlocked only by the system administrator.

Now suppose user changes his password on 20 January then all dates will reset as following.

  • Last password change date: - 20 January.
  • Password expiration date: - 9 February (20 January + 20 days).
  • Starting date of warning message for password change: - 4 February (9 February – 5 days)
  • Password inactive or account lock date: - 12 February (9 February + 3 days)

Following table lists the default value of password aging settings.

Setting Default value
Last password change date User creation date
Password expiry date Never
Password inactive date Never
Account expiry date Never
Minimum number of days between password change 0 day
Maximum number of days between password change 99999 days
Number of days of warning before password expires 7 days

Values of Minimum number of days between password change, Maximum number of days between password change and Number of days of warning before password expires are stored in file /etc/login.defs.

Besides password aging policy, this file also stores the default values of several other parameters. When a new user account is created without providing necessary options, this file is used to assign the default values of those options.

Following figure shows the default values of password aging policy stored in file /etc/login.defs.

default password aging policy

In password aging section there is one more control PASS_MIN_LEN. It is used to define the length of password. For example if we set it to 8, minimum acceptable password length will become 8 characters. After this user will be forced to select the password which contains minimum 8 characters or more in length. Since this option is not directly related with password aging, I will explain it separately in next part of this tutorial.

Listing password aging settings

The chage command with –l option is used to list the current settings of password aging policy.

Let’s create a test user account with default options.

#useradd jack
#passwd jack
useradd command

Now list its password aging settings.

#chage –l jack
chage -l command

Since we didn’t change any password aging settings for this user, all above setting are populated and calculated from the default settings.

Changing default password aging options for new users

If require, you can customize the password aging policy options stored in file /etc/login.defs. To customize these options, take the backup of original file and open it with your favorite text editor. Now update the options are per your requirement and save the file.

password aging policy default value update

Let’s create one more user account and check its password aging options.

password aging global option verification

Any change made in file /etc/login.defs applies only on those user accounts which will be created after the change. This file only defines the main options of password aging policy. To change password aging policy for existing user or update all settings, the chage command is used.

Managing password aging policy with chage command

The chage command provides two ways to update the password aging options: -

  1. update all settings through interactive prompt
  2. update individual setting through command line option

Let’s understand both options in detail.

Updating all settings through interactive prompt

To update all settings through interactive prompt, use following command: -

#chage [username]

If we run chage command without any options and specify only the username, it launches an interactive series of prompts to set the required value for each option of password aging policy. It also displays the current value of each option in bracket. If we specify the new value for any option, the value of that option will be replaced with new value otherwise existing value will remain intact.

Updating individual setting through command line option

To change password aging setting individually following options are used with the chage command.

option in short version option in long version Used to update the setting
-d --lastday Last password change date
-m --mindays Minimum number of days between password change
-M --maxdays Maximum number days between password change
-W --warndays Number of days of warning before password expires
-I --inactive Password inactive date
-E --expiredate Account expires date

Let’s understand each setting through practical examples.

Updating last password change date

Last password change date is automatically updates when user changes his password. But if require, we can also set this date manually with -d option. For example, following command sets last password change date to 10 December 2018 for user rick.

#chage –d 2018-12-10 rick

Forcing user to change his password at next login

force user to change password

Instead of specifying a date with -d option if we specify a value 0 with this option, user password will expire immediately. At next login user will be forced to change his password. For example, following command sets user rick’s password as expired.

#chage -d 0 rick
chage command value 9

Due to any reason if you want to revert above setting, simply set the last password date again with same command.

chage -d 0 command

Changing password inactive days

To change the number of days in which account will be locked if expired password is not changed, use -I option with chage command. For example following command sets these days to 5 for user rick.

#chage –I 5 rick
password inactive chage command

To reset the password inactive days back to never, specify the value -1 with this option.

disable password inactive option

Changing password warning days

To set the number of days in which user will get warning message to change his password before password expiration, use –W option with chage command. For example, following command sets warning message days to 5 days before the password expiration for user rick.

#chage –W 5 rick
password change warning message

Changing minimum number of days

To change the number of days which must be elapsed before user is allowed to change his password again, use -m option with chage command. For example, following command sets the minimum number of days between password changes to 5 days for user rick.

#chage –m 5 rick
changing minimum days

To reset this value back to default, specify the value 0 with this option.

minimum days to change password reset

Changing maximum number of days between password change

To set or update the maximum number of days in which user is allowed to use the password, use -M option with chage command. For example, following command sets maximum number of days between password changes to 60 days for user rick.

#chage –M 60 rick
setting maximum password days

Changing password expiration to never

The setting “password expires” is directly related with the setting “Maximum number of days between password change”. Once the value in the setting “Maximum number of days between password change”, is changed, password expiry date is automatically calculated from the last password change date and filled in the setting “password expires”.

Since the setting “password expires” is based on the setting “Maximum number of days between password change”, if we restore the default value of the setting “Maximum number of days between password change”, the default value of the setting “password expires” will be restored automatically.

To reset the setting “password expires” back to “never”, set the value of setting “Maximum number of days between password changes” to 99999. For example, following command restores the default values of both settings for user rick.

#chage –M 99999 rick
reset maximum number of days to password change

Changing account expiration date

By default account expiry date is set to never. It means, unless we manually specify the account expiration date while creating user account, it never expires. To set account expiration date or update existing account expiration date, use –E option with chage command. For example, following command will set account expiry date to 10 May 2019 for user rick.

#chage –E 2019-05-10 rick
set account expiration

Turing off account expiration

If you want to turn off or disable account expiration setting again, you can do this by specifying value -1 with –E option. Value -1 is used to set the account expiration date to Never. For example, following command disables the account expiration setting for user rick.

#chage –E -1 rick
disable account expiry

That’s all for this part. In next part, we will learn how to perform some advance user management tasks in detail with examples. If you like this tutorial, please don’t forget to share it through your favorite social channel.

ComputerNetworkingNotes RHCE 7 Study Guide Password aging policy Explained with chage command