Force Linux User to Change Password
If we create a user account with the default password, we can use this trick to force the user to change their account’s default password when they first login to their account. This will hopefully improve the security of their account. We can achieve this in two ways.
1) Using passwd command
2) Using chage command
Using passwd Command
The passwd command is used to change the password of a user account. A normal user can run passwd to change their own password, and the root user can use passwd to change another user’s password or define how each user account’s password can be used or changed.
To force a user to change his password we use passwd command with -e or –expire switches. The –expire or -e switches will expire current password of the user account and forcing the user to change the current password to a new one on next login.
# passwd –expire test
Expiring password for user test.
passwd: Success
To verify the password expiration and aging information of user account test, we can use the chage command.
# chage -l test
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
After setting the password expiration user will get the below screen on next login.
ssh test@159.89.174.23
test@159.89.174.23’s password:
You are required to change your password immediately (root enforced)
Last login: Tue Mar 13 04:22:24 2018 from 202.83.46.160
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test.
Changing password for test.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to 159.89.174.23 closed.
Using chage command
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password.
Alternatively, we can use the chage command with -d or –lastday switches.
-d, –lastday LAST_DAY
Set the number of days since January 1st, 1970 when the password was last changed. The date may also be expressed in the format YYYY-MM-DD (or the format more commonly used in your area). If the LAST_DAY is set to 0 the user is forced to change his password on the next log on.
For this, we run the below command.
#chage –lastday 0 test1
This command will tell the server that the password has not been changed since the above date (i.e. January 1st, 1970), so the password has literally expired and needs to be changed immediately before the user can access the server again.
To verify the user account test1’s password expiration and aging information we can use the below command.
#chage -l test1
When the user test1 try to login the server after the password expiration has been set, the user will get the below screen and force the user to change the password.
$ ssh test1@159.89.174.23
test1@159.89.174.23’s password:
You are required to change your password immediately (root enforced)
Last login: Tue Mar 13 05:33:55 2018 from 202.83.46.160
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test1.
Changing password for test1.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
It is always recommended to remind users to change their account passwords regularly for security reasons. So we can use the above methods for forcing the user to change their password.
If you need any further assistance please contact our support department.
