Requiring password changes is a common security practice, and Linux systems admins can use the chage command to view and change password expiration information. Credit: Shutterstock Ensuring that users change their passwords from time to time is a practice that many system admins follow as part of their security plans. It’s an important step in cyber-defense because it lessens the likelihood that passwords will be compromised. At the same time, requiring overly frequent changes might have unintended side effects; users can be tempted to write down their passwords, or make them so much easier to remember that it becomes easier for someone else to guess what they might be. Fortunately, Linux systems have a way to enforce some timing rules on how frequently passwords must be changed. The /etc/login.defs file allows you to set the parameters that control how long a password can be active before it expires (PASS_MAX_DAYS). It also allows you to set the minimum number of days that a password must remain active (PASS_MIN_DAYS). This second of these parameters ensures that a user can’t change his/her password and then reset it to the former password – basically amounting to no change. Users can also be granted a warning period during which they are alerted to the fact that their passwords will soon expire (PASS_WARN_DAYS) and giving them time to reflect on passwords that would both be hard to guess and relatively easy to remember. If you simply go with the defaults, the settings will undoubtedly result in NO password expirations. The default for the PASS_MAX_DAYS setting is 99999 and that is roughly 273 years. With a value like that, no one is going to see their password expiring. The values for the last password change, the minimum password age, and the maximum password age are stored in the /etc/shadow file. You might see strings of values that look like “19790:0:99999” for these values. In this example, the first value (19790) represents the date of the last change (days since Jan 1, 1970). The 0 is the minimum number of days before a password can be changed again. The third is, of course, the 273 year default for password expiration. To change the default settings in the /etc/login.defs file, you could, for example, change the values that look like what you see on the left to something like what you see on the right to alter them to enforce password aging limitations. PASS_MAX_DAYS 99999 PASS_MAX_DAYS 99 PASS_MIN_DAYS 0 PASS_MIN_DAYS 9 PASS_WARN_AGE 7 PASS_WARN_AGE 9 There is, however, an issue with making these changes. They will not affect existing users. Their settings in the /etc/shadow file will not be altered. In order to enforce the password limitations for current accounts, you will have to use the chage command, which lets you both view and change password expiration information. Here’s an example: # chage lola Changing the aging information for lola Enter the new value, or press ENTER for the default Minimum Password Age [0]: 9 Maximum Password Age [99999]: 99 Last Password Change (YYYY-MM-DD) [2023-03-08]: Password Expiration Warning [7]: 9 Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [-1]: Note that responses were only provided for the first, second and fourth prompts. Once the settings have been changed with the chage command, they will go into effect. Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe