{ "content": [ { "type": "text", "text": "# passwd(1) (man)\n\n**Summary:** passwd - change user password\n\n**Synopsis:** passwd [options] [LOGIN]\n\n## Flags\n\n| Flag | Long | Arg | Description |\n|------|------|-----|-------------|\n| -a | --all | — | This option can be used only with -S and causes show status for all users. |\n| -d | --delete | — | Delete a user's password (make it empty). This is a quick way to disable a password for an account. It will set the name |\n| -e | --expire | — | Immediately expire an account's password. This in effect can force a user to change their password at the user's next lo |\n| -h | --help | — | Display help message and exit. |\n| -i | --inactive | — | This option is used to disable an account after the password has been expired for a number of days. After a user account |\n| -k | --keep-tokens | — | Indicate password change should be performed only for expired authentication tokens (passwords). The user wishes to keep |\n| -l | --lock | — | Lock the password of the named account. This option disables a password by changing it to a value which matches no possi |\n| -n | --mindays | — | Set the minimum number of days between password changes to MINDAYS. A value of zero for this field indicates that the us |\n| -q | --quiet | — | Quiet mode. |\n| -r | --repository | — | change password in REPOSITORY repository |\n| -R | --root | — | Apply changes in the CHROOTDIR directory and use the configuration files from the CHROOTDIR directory. |\n| -S | --status | — | Display account status information. The status information consists of 7 fields. The first field is the user's login nam |\n| -u | --unlock | — | Unlock the password of the named account. This option re-enables a password by changing the password back to its previou |\n| -w | --warndays | — | Set the number of days of warning before a password change is required. The WARNDAYS option is the number of days prior |\n| -x | --maxdays | — | Set the maximum number of days a password remains valid. After MAXDAYS, the password is required to be changed. Passing |\n\n## See Also\n\n- chpasswd(8)\n- shadow(5)\n- usermod(8)\n\n## Section Outline\n\n- **NAME** (2 lines)\n- **SYNOPSIS** (2 lines)\n- **DESCRIPTION** (4 lines) — 2 subsections\n - Password Changes (24 lines)\n - Hints for user passwords (14 lines)\n- **OPTIONS** (2 lines) — 15 subsections\n - -a --all (2 lines)\n - -d --delete (3 lines)\n - -e --expire (3 lines)\n - -h --help (2 lines)\n - -i --inactive (4 lines)\n - -k --keep-tokens (3 lines)\n - -l --lock (10 lines)\n - -n --mindays (3 lines)\n - -q --quiet (2 lines)\n - -r --repository (2 lines)\n - -R --root (3 lines)\n - -S --status (7 lines)\n - -u --unlock (3 lines)\n - -w --warndays (4 lines)\n - -x --maxdays (5 lines)\n- **CAVEATS** (8 lines)\n- **FILES** (9 lines)\n- **EXIT VALUES** (23 lines)\n- **SEE ALSO** (5 lines)\n\n## Full Content\n\n### NAME\n\npasswd - change user password\n\n### SYNOPSIS\n\npasswd [options] [LOGIN]\n\n### DESCRIPTION\n\nThe passwd command changes passwords for user accounts. A normal user may only change the\npassword for their own account, while the superuser may change the password for any account.\npasswd also changes the account or associated password validity period.\n\n#### Password Changes\n\nThe user is first prompted for their old password, if one is present. This password is then\nencrypted and compared against the stored password. The user has only one chance to enter the\ncorrect password. The superuser is permitted to bypass this step so that forgotten passwords\nmay be changed.\n\nAfter the password has been entered, password aging information is checked to see if the user\nis permitted to change the password at this time. If not, passwd refuses to change the\npassword and exits.\n\nThe user is then prompted twice for a replacement password. The second entry is compared\nagainst the first and both are required to match in order for the password to be changed.\n\nThen, the password is tested for complexity. As a general guideline, passwords should consist\nof 6 to 8 characters including one or more characters from each of the following sets:\n\n• lower case alphabetics\n\n• digits 0 thru 9\n\n• punctuation marks\n\nCare must be taken not to include the system default erase or kill characters. passwd will\nreject any password which is not suitably complex.\n\n#### Hints for user passwords\n\nThe security of a password depends upon the strength of the encryption algorithm and the size\nof the key space. The legacy UNIX System encryption method is based on the NBS DES algorithm.\nMore recent methods are now recommended (see ENCRYPTMETHOD). The size of the key space\ndepends upon the randomness of the password which is selected.\n\nCompromises in password security normally result from careless password selection or\nhandling. For this reason, you should not select a password which appears in a dictionary or\nwhich must be written down. The password should also not be a proper name, your license\nnumber, birth date, or street address. Any of these may be used as guesses to violate system\nsecurity.\n\nYou can find advice on how to choose a strong password on\nhttp://en.wikipedia.org/wiki/Passwordstrength\n\n### OPTIONS\n\nThe options which apply to the passwd command are:\n\n#### -a --all\n\nThis option can be used only with -S and causes show status for all users.\n\n#### -d --delete\n\nDelete a user's password (make it empty). This is a quick way to disable a password for\nan account. It will set the named account passwordless.\n\n#### -e --expire\n\nImmediately expire an account's password. This in effect can force a user to change their\npassword at the user's next login.\n\n#### -h --help\n\nDisplay help message and exit.\n\n#### -i --inactive\n\nThis option is used to disable an account after the password has been expired for a\nnumber of days. After a user account has had an expired password for INACTIVE days, the\nuser may no longer sign on to the account.\n\n#### -k --keep-tokens\n\nIndicate password change should be performed only for expired authentication tokens\n(passwords). The user wishes to keep their non-expired tokens as before.\n\n#### -l --lock\n\nLock the password of the named account. This option disables a password by changing it to\na value which matches no possible encrypted value (it adds a ´!´ at the beginning of the\npassword).\n\nNote that this does not disable the account. The user may still be able to login using\nanother authentication token (e.g. an SSH key). To disable the account, administrators\nshould use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970).\n\nUsers with a locked password are not allowed to change their password.\n\n#### -n --mindays\n\nSet the minimum number of days between password changes to MINDAYS. A value of zero for\nthis field indicates that the user may change their password at any time.\n\n#### -q --quiet\n\nQuiet mode.\n\n#### -r --repository\n\nchange password in REPOSITORY repository\n\n#### -R --root\n\nApply changes in the CHROOTDIR directory and use the configuration files from the\nCHROOTDIR directory.\n\n#### -S --status\n\nDisplay account status information. The status information consists of 7 fields. The\nfirst field is the user's login name. The second field indicates if the user account has\na locked password (L), has no password (NP), or has a usable password (P). The third\nfield gives the date of the last password change. The next four fields are the minimum\nage, maximum age, warning period, and inactivity period for the password. These ages are\nexpressed in days.\n\n#### -u --unlock\n\nUnlock the password of the named account. This option re-enables a password by changing\nthe password back to its previous value (to the value before using the -l option).\n\n#### -w --warndays\n\nSet the number of days of warning before a password change is required. The WARNDAYS\noption is the number of days prior to the password expiring that a user will be warned\nthat their password is about to expire.\n\n#### -x --maxdays\n\nSet the maximum number of days a password remains valid. After MAXDAYS, the password is\nrequired to be changed.\n\nPassing the number -1 as MAXDAYS will remove checking a password's validity.\n\n### CAVEATS\n\nPassword complexity checking may vary from site to site. The user is urged to select a\npassword as complex as he or she feels comfortable with.\n\nUsers may not be able to change their password on a system if NIS is enabled and they are not\nlogged into the NIS server.\n\npasswd uses PAM to authenticate users and to change their passwords.\n\n### FILES\n\n/etc/passwd\nUser account information.\n\n/etc/shadow\nSecure user account information.\n\n/etc/pam.d/passwd\nPAM configuration for passwd.\n\n### EXIT VALUES\n\nThe passwd command exits with the following values:\n\n0\nsuccess\n\n1\npermission denied\n\n2\ninvalid combination of options\n\n3\nunexpected failure, nothing done\n\n4\nunexpected failure, passwd file missing\n\n5\npasswd file busy, try again\n\n6\ninvalid argument to option\n\n### SEE ALSO\n\nchpasswd(8), passwd(5), shadow(5), usermod(8).\n\n\n\nshadow-utils 4.8.1 02/06/2024 PASSWD(1)\n\n" } ], "structuredContent": { "command": "passwd", "section": "1", "mode": "man", "summary": "passwd - change user password", "synopsis": "passwd [options] [LOGIN]", "flags": [ { "flag": "-a", "long": "--all", "arg": null, "description": "This option can be used only with -S and causes show status for all users." }, { "flag": "-d", "long": "--delete", "arg": null, "description": "Delete a user's password (make it empty). This is a quick way to disable a password for an account. It will set the named account passwordless." }, { "flag": "-e", "long": "--expire", "arg": null, "description": "Immediately expire an account's password. This in effect can force a user to change their password at the user's next login." }, { "flag": "-h", "long": "--help", "arg": null, "description": "Display help message and exit." }, { "flag": "-i", "long": "--inactive", "arg": null, "description": "This option is used to disable an account after the password has been expired for a number of days. After a user account has had an expired password for INACTIVE days, the user may no longer sign on to the account." }, { "flag": "-k", "long": "--keep-tokens", "arg": null, "description": "Indicate password change should be performed only for expired authentication tokens (passwords). The user wishes to keep their non-expired tokens as before." }, { "flag": "-l", "long": "--lock", "arg": null, "description": "Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password). Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970). Users with a locked password are not allowed to change their password." }, { "flag": "-n", "long": "--mindays", "arg": null, "description": "Set the minimum number of days between password changes to MINDAYS. A value of zero for this field indicates that the user may change their password at any time." }, { "flag": "-q", "long": "--quiet", "arg": null, "description": "Quiet mode." }, { "flag": "-r", "long": "--repository", "arg": null, "description": "change password in REPOSITORY repository" }, { "flag": "-R", "long": "--root", "arg": null, "description": "Apply changes in the CHROOTDIR directory and use the configuration files from the CHROOTDIR directory." }, { "flag": "-S", "long": "--status", "arg": null, "description": "Display account status information. The status information consists of 7 fields. The first field is the user's login name. The second field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P). The third field gives the date of the last password change. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password. These ages are expressed in days." }, { "flag": "-u", "long": "--unlock", "arg": null, "description": "Unlock the password of the named account. This option re-enables a password by changing the password back to its previous value (to the value before using the -l option)." }, { "flag": "-w", "long": "--warndays", "arg": null, "description": "Set the number of days of warning before a password change is required. The WARNDAYS option is the number of days prior to the password expiring that a user will be warned that their password is about to expire." }, { "flag": "-x", "long": "--maxdays", "arg": null, "description": "Set the maximum number of days a password remains valid. After MAXDAYS, the password is required to be changed. Passing the number -1 as MAXDAYS will remove checking a password's validity." } ], "examples": [], "see_also": [ { "name": "chpasswd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/chpasswd/8/json" }, { "name": "shadow", "section": "5", "url": "https://www.chedong.com/phpMan.php/man/shadow/5/json" }, { "name": "usermod", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/usermod/8/json" } ], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 2, "subsections": [] }, { "name": "DESCRIPTION", "lines": 4, "subsections": [ { "name": "Password Changes", "lines": 24 }, { "name": "Hints for user passwords", "lines": 14 } ] }, { "name": "OPTIONS", "lines": 2, "subsections": [ { "name": "-a --all", "lines": 2, "flag": "-a", "long": "--all" }, { "name": "-d --delete", "lines": 3, "flag": "-d", "long": "--delete" }, { "name": "-e --expire", "lines": 3, "flag": "-e", "long": "--expire" }, { "name": "-h --help", "lines": 2, "flag": "-h", "long": "--help" }, { "name": "-i --inactive", "lines": 4, "flag": "-i", "long": "--inactive" }, { "name": "-k --keep-tokens", "lines": 3, "flag": "-k", "long": "--keep-tokens" }, { "name": "-l --lock", "lines": 10, "flag": "-l", "long": "--lock" }, { "name": "-n --mindays", "lines": 3, "flag": "-n", "long": "--mindays" }, { "name": "-q --quiet", "lines": 2, "flag": "-q", "long": "--quiet" }, { "name": "-r --repository", "lines": 2, "flag": "-r", "long": "--repository" }, { "name": "-R --root", "lines": 3, "flag": "-R", "long": "--root" }, { "name": "-S --status", "lines": 7, "flag": "-S", "long": "--status" }, { "name": "-u --unlock", "lines": 3, "flag": "-u", "long": "--unlock" }, { "name": "-w --warndays", "lines": 4, "flag": "-w", "long": "--warndays" }, { "name": "-x --maxdays", "lines": 5, "flag": "-x", "long": "--maxdays" } ] }, { "name": "CAVEATS", "lines": 8, "subsections": [] }, { "name": "FILES", "lines": 9, "subsections": [] }, { "name": "EXIT VALUES", "lines": 23, "subsections": [] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] } ] } }