Which of the following settings controls the minimum number of days a password must be set on an account before it can be changed again?

With proper settings, Linux users can be forced to periodically change their passwords. Here's how to view password aging settings and how to configure some of the settings.

User passwords on Linux systems can be configured to be permanent or can be set to expire so that individuals must reset them periodically. Periodic password changing is generally considered good practice for security reasons, but is not configured by default.

To view and modify password-aging settings, you need to be familiar with a couple important commands – the chage command along with its -l option and the passwd command with its -S. These commands, along with a few other chage commands that are used to configure password aging are described in this post.

Viewing password aging settings

The way to determine if password aging is in place for some particular account is to use the chage command as shown below. Note that root authority is needed to check any account other than your own. Notice the password expiration date below.

If password aging is not being applied, the account information would look like this:

You can also view some of this information using the passwd -S command, but you'll need to know what each of the fields in the output represents:

The seven fields here represent:

• 1 –  username
• 2 – account status (L=locked, NP=no password, P=usable password)
• 3 – date of the last password change
• 4 – minimum age for a change (password cannot be changed if it isn’t this many days old)
• 5 – maximum age (password must be changed by the time it gets this many days old)
• 6 – number of days before a required change that warnings will be provided
• 7 – number of days after password expires before it is locked (made inactive)

One interesting thing to note is that the chage command doesn’t show you if an account is locked; it only shows the password aging settings. The passwd -S command, on the other hand, will tell you when a password is locked. In this example, note that the account status is “L”:

This locking takes effect in the /etc/shadow file with the field that normally contains the password "hash" field becoming just a "!".

That fact that an account is locked is not obvious in the chage output:

Some options for password aging

The most commonly used settings are for the minimum and maximum days. These are often used in combination. For example, you might configure a password so that it cannot be used for more than 90 days (maximum) and then add that it cannot be changed before it has been in effect for a week or 10 days (minimum days). This ensures that users won’t change a password when required and then immediately change it back to what it was previously.

You can also set a specific expiration date for an account using the -E option.

Password aging can be an important option as long as it doesn't encourage users to use passwords that are way too simple or write them down in insecure ways. For more information on controlling the character of passwords (e.g., combinations of uppercase and lowercase letters, digits, etc.), check out this post on password complexity.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

Copyright © 2020 IDG Communications, Inc.