How to Use the passwd Command in Linux to Secure and Manage User Passwords: A Complete Guide (2025)

Mastering the passwd Command in Linux

When it comes to managing user authentication on Linux systems, the passwd command is one of the most crucial tools for administrators. This versatile command is used for updating and securing user passwords, offering features such as account locking, password expiration, and much more. Understanding how to use the passwd command can significantly enhance the security of your system, making it an essential skill for any system administrator or Linux user.

In this detailed guide, we’ll explore how the passwd command works, its various options, and how you can use it to manage user accounts effectively. Whether you’re a beginner or an experienced admin, this post will give you the knowledge to wield the passwd command like a pro.

What is the passwd Command?

The passwd command in Linux is a utility used to update a user’s authentication tokens, primarily their passwords. When you run the passwd command, it interacts with the Linux-PAM (Pluggable Authentication Modules) and Libuser API to authenticate and update the password.

In Linux systems, the passwd utility offers various options that allow you to manage passwords in a more secure and structured way. These features are critical for maintaining system security, enforcing password policies, and managing user access.

Let’s dive into the details of the passwd command and its options, which are essential for every Linux user and admin.

passwd


Key Features and Options of the passwd Command

The passwd command has several options that allow for advanced management of user passwords. Let’s explore these options in detail.

1. -k or --keep-tokens: Keep Expired Password Tokens

When a password has expired, the -k option allows administrators to update only expired authentication tokens (passwords) while leaving non-expired tokens unchanged. This is useful when you want to enforce password changes for expired accounts without affecting other users.

Example:

sudo passwd -k username

This command forces the user to change their expired password but keeps the non-expired ones intact.

2. -l or --lock: Lock User Account

Locking an account prevents the user from logging in using their password. The passwd command locks the account by prepending the password hash with an exclamation mark (!), rendering it invalid.

Note: This method does not fully lock the account; other authentication methods like SSH public key authentication can still be used.

Example:

sudo passwd -l username

This command locks the specified user account. If you want to fully lock an account, consider using the chage -E 0 command instead.

3. --stdin: Read Password from Standard Input

The --stdin option allows you to pipe the password directly into the passwd command. This is particularly useful when automating password changes in scripts or when managing multiple accounts.

Example:

echo "newpassword" | sudo passwd --stdin username

This command sets the password for the specified user by reading the password from standard input.

4. -u or --unlock: Unlock User Account

The -u option reverses the effect of -l by removing the ! from the password hash, thus unlocking the account.

Example:

sudo passwd -u username

This command unlocks the specified user account, allowing the user to log in again.

Note: By default, passwd will refuse to unlock an account if it has no password or only has a “!” as a password. The -f option can force this behavior.

5. -d or --delete: Delete User’s Password

The -d option removes the password from an account, leaving it passwordless. This is useful for accounts that need to be deactivated but still exist on the system.

Example:

sudo passwd -d username

This command deletes the password for the user, making it impossible for them to log in via password authentication. However, the user can still log in using other methods (e.g., SSH public key).

6. -e or --expire: Expire User’s Password

The -e option expires a user’s password immediately, forcing them to change it the next time they log in.

Example:

sudo passwd -e username

This command expires the password for the user, ensuring that they will be prompted to change it upon the next login.

7. -n or --minimum DAYS: Set Minimum Password Age

This option sets the minimum number of days between password changes for the user. For example, if you set a minimum of 7 days, the user cannot change their password more frequently than that.

Example:

sudo passwd -n 7 username

This command sets the minimum password age for the specified user to 7 days.

8. -x or --maximum DAYS: Set Maximum Password Age

The -x option sets the maximum number of days a user can use their password before being forced to change it. This is essential for enforcing password rotation policies.

Example:

sudo passwd -x 90 username

This command forces the user to change their password every 90 days.

9. -w or --warning DAYS: Set Password Expiry Warning

The -w option determines the number of days before the password expires that the user will start receiving warnings. This helps users prepare for password changes in advance.

Example:

sudo passwd -w 7 username

This command will warn the user 7 days before their password expires.

10. -i or --inactive DAYS: Set Inactivity Period

This option sets the number of days after the password expires before the user account is considered inactive and disabled. The account will be locked after the specified inactivity period.

Example:

sudo passwd -i 30 username

This command will disable the account if the password has been expired for more than 30 days.

11. -S or --status: Display User Password Status

The -S option outputs a summary of the user’s password status, including whether the password is locked, the date of the last password change, and the expiration settings.

Example:

sudo passwd -S username

This command will display the password status for the specified user.


Practical Use Cases for the passwd Command

1. Enforcing Strong Password Policies

Linux administrators often use the passwd command to enforce password policies, such as requiring passwords to be changed periodically. By using the -x and -w options, admins can ensure that users are regularly prompted to change their passwords and are given a warning before they expire.

2. Locking User Accounts Temporarily

In situations where an account needs to be temporarily disabled, the passwd -l command comes in handy. It is particularly useful for managing accounts that should be disabled for maintenance or when a user is temporarily away.

3. Automating User Password Management

By leveraging the --stdin option, system administrators can automate password changes for users, making it easier to reset passwords in bulk during security audits or after a breach.

4. Cleaning Up Unused Accounts

The passwd -d command is useful for cleaning up unused accounts without deleting them completely. For example, if a user is leaving the organization but their account needs to remain for audit purposes, removing the password prevents unauthorized access while keeping the account in place.


Conclusion

The passwd command in Linux is an indispensable tool for managing user authentication tokens, enforcing password policies, and maintaining system security. With a wide range of options to lock, unlock, expire, and delete passwords, it provides a flexible and powerful way to manage user access.

By mastering the passwd command, administrators can improve the security of their systems, ensuring that passwords are properly managed and accounts are kept secure. Whether you’re an experienced sysadmin or just getting started with Linux, understanding the ins and outs of the passwd command is essential for keeping your systems safe.

For more Linux tips, tutorials, and system administration best practices, visit my other articles on GeekersHub.
Learn more about Linux-PAM (Pluggable Authentication Modules) and its role in authentication on Linux-PAM Wiki.