1PASSWD(1) User utilities PASSWD(1)
2
3
4
6 passwd - update user's authentication tokens
7
8
10 passwd [-k] [-l] [-u [-f]] [-d] [-n mindays] [-x maxdays] [-w warndays]
11 [-i inactivedays] [-S] [--stdin] [username]
12
13
14
16 The passwd utility is used to update user's authentication token(s).
17
18 This task is achieved through calls to the Linux-PAM and Libuser API.
19 Essentially, it initializes itself as a "passwd" service with Linux-PAM
20 and utilizes configured password modules to authenticate and then
21 update a user's password.
22
23
24 A simple entry in the global Linux-PAM configuration file for this ser‐
25 vice would be:
26
27 #
28 # passwd service entry that does strength checking of
29 # a proposed password before updating it.
30 #
31 passwd password requisite pam_cracklib.so retry=3
32 passwd password required pam_unix.so use_authtok
33 #
34
35
36 Note, other module types are not required for this application to func‐
37 tion correctly.
38
39
41 -k The option -k, is used to indicate that the update should only
42 be for expired authentication tokens (passwords); the user
43 wishes to keep their non-expired tokens as before.
44
45
46 -l This option is used to lock the specified account and it is
47 available to root only. The locking is performed by rendering
48 the encrypted password into an invalid string (by prefixing the
49 encrypted string with an !).
50
51
52 --stdin
53 This option is used to indicate that passwd should read the new
54 password from standard input, which can be a pipe.
55
56
57 -u This is the reverse of the -l option - it will unlock the
58 account password by removing the ! prefix. This option is avail‐
59 able to root only. By default passwd will refuse to create a
60 passwordless account (it will not unlock an account that has
61 only "!" as a password). The force option -f will override this
62 protection.
63
64
65 -d This is a quick way to delete a password for an account. It will
66 set the named account passwordless. Available to root only.
67
68
69 -n This will set the minimum password lifetime, in days, if the
70 user's account supports password lifetimes. Available to root
71 only.
72
73
74 -x This will set the maximum password lifetime, in days, if the
75 user's account supports password lifetimes. Available to root
76 only.
77
78
79 -w This will set the number of days in advance the user will begin
80 receiving warnings that her password will expire, if the user's
81 account supports password lifetimes. Available to root only.
82
83
84 -i This will set the number of days which will pass before an
85 expired password for this account will be taken to mean that the
86 account is inactive and should be disabled, if the user's
87 account supports password lifetimes. Available to root only.
88
89
90 -S This will output a short information about the status of the
91 password for a given account. Available to root user only.
92
93
95 Protect your password.
96 Don't write down your password - memorize it. In particular,
97 don't write it down and leave it anywhere, and don't place it in
98 an unencrypted file! Use unrelated passwords for systems con‐
99 trolled by different organizations. Don't give or share your
100 password, in particular to someone claiming to be from computer
101 support or a vendor. Don't let anyone watch you enter your
102 password. Don't enter your password to a computer you don't
103 trust or if things "look funny"; someone may be trying to hijack
104 your password. Use the password for a limited time and change
105 it periodically.
106
107
108 Choose a hard-to-guess password.
109 passwd through the calls to the pam_cracklib PAM module will try
110 to prevent you from choosing a really bad password, but it isn't
111 foolproof; create your password wisely. Don't use something
112 you'd find in a dictionary (in any language or jargon). Don't
113 use a name (including that of a spouse, parent, child, pet, fan‐
114 tasy character, famous person, and location) or any variation of
115 your personal or account name. Don't use accessible information
116 about you (such as your phone number, license plate, or social
117 security number) or your environment. Don't use a birthday or a
118 simple pattern (such as "qwerty", "abc", or "aaa"). Don't use
119 any of those backwards, followed by a digit, or preceded by a
120 digit. Instead, use a mixture of upper and lower case letters,
121 as well as digits or punctuation. When choosing a new password,
122 make sure it's unrelated to any previous password. Use long
123 passwords (say at least 8 characters long). You might use a
124 word pair with punctuation inserted, a passphrase (an under‐
125 standable sequence of words), or the first letter of each word
126 in a passphrase.
127
128
129
130 These principles are partially enforced by the system, but only partly
131 so. Vigilence on your part will make the system much more secure.
132
133
135 On successful completion of its task, passwd will complete with exit
136 code 0. An exit code of 1 indicates an error occurred. Textual errors
137 are written to the standard error stream.
138
139
141 Linux-PAM (Pluggable Authentication modules for Linux).
142
143
145 /etc/pam.d/passwd - the Linux-PAM configuration file
146
147
149 None known.
150
151
153 pam(8), pam.d(5), libuser.conf(5), and pam_chauthtok(3).
154
155
156 For more complete information on how to configure this application with
157 Linux-PAM, see the Linux-PAM System Administrators' Guide.
158
159
161 Cristian Gafton <gafton@redhat.com>
162
163
164
165GNU/Linux Sep 24 2009 PASSWD(1)