4.4.3. Enabling Password Aging

⁠4.4.3. Enabling Password Aging

For security reasons, it is advisable to require users to change their passwords periodically. This can either be done when adding or editing a user on the Password Info tab of the User Manager application, or by using the chage command.

Shadow passwords must be enabled to use chage

Shadow passwords must be enabled to use the chage command. For more information, see Section 4.1.2, “Shadow Passwords”.

To configure password expiration for a user from a shell prompt, run the following command as root:

chage [options] username

…where options are command line options as described in Table 4.4, “chage command line options”. When the chage command is followed directly by a username (that is, when no command line options are specified), it displays the current password aging values and allows you to change them interactively.

⁠

Table 4.4. chage command line options

Option	Description
`-d` days	Specifies the number of days since January 1, 1970 the password was changed.
`-E` date	Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
`-I` days	Specifies the number of inactive days after the password expiration before locking the account. If the value is `0`, the account is not locked after the password expires.
`-l`	Lists current account aging settings.
`-m` days	Specify the minimum number of days after which the user must change passwords. If the value is `0`, the password does not expire.
`-M` days	Specify the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the `-d` option is less than the current day, the user must change passwords before using the account.
`-W` days	Specifies the number of days before the password expiration date to warn the user.

You can configure a password to expire the first time a user logs in. This forces users to change passwords immediately.

Set up an initial password. There are two common approaches to this step: you can either assign a default password, or you can use a null password.
To assign a default password, type the following at a shell prompt as root:
```
passwd username
```
To assign a null password instead, use the following command:
```
passwd -d username
```
Avoid using null passwords whenever possible
Using a null password, while convenient, is a highly insecure practice, as any third party can log in first and access the system using the insecure username. Always make sure that the user is ready to log in before unlocking an account with a null password.
Force immediate password expiration by running the following command as root:
```
chage -d 0 username
```
This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.

Upon the initial log in, the user is now prompted for a new password.