How To Change A User Password In Linux: A Complete Step-By-Step Guide

by

You Need to Change a Password on Your Linux System

Whether you’re a new system administrator onboarding a team member, a developer securing a server, or a user who just received a “password expired” warning, the need to change a password in Linux is a universal task. It’s a fundamental act of security and access management.

Yet, if you’re not deeply familiar with the command line, the process can seem opaque. You might wonder which command to use, if you need special permissions, or how to handle a situation where a user has forgotten their password entirely. The good news is that Linux provides straightforward, powerful tools for this essential job.

This guide will walk you through every method, from the simple interactive prompt to advanced bulk operations. We’ll cover changing your own password, changing another user’s password as an administrator, and forcing a password change on the next login. By the end, you’ll handle user passwords on any Linux distribution with confidence.

Understanding Linux User Authentication

Before diving into the commands, it helps to know what’s happening behind the scenes. In Linux, user account information, including encrypted passwords, is traditionally stored in the /etc/passwd and /etc/shadow files.

The /etc/passwd file contains basic user information like username, user ID, group ID, home directory, and login shell. For security, modern systems store the actual password hash in the /etc/shadow file, which is readable only by the root user.

When you change a password, you are modifying the encrypted hash in the /etc/shadow file. The commands we use handle this securely, prompting for the new password and then generating and storing the new hash.

The Two Key Commands: passwd and usermod

Almost all password management revolves around two commands: passwd and usermod.

The passwd command is the primary tool for setting and changing passwords. Its behavior changes depending on who runs it. The usermod command is used for broader user account modifications, including setting password expiration policies.

Knowing when and how to use each is the first step to mastering user management.

Changing Your Own Password

This is the most common scenario. Any user can change their own password by simply typing the passwd command without any arguments.

Open a terminal and type:

passwd

The system will first ask you for your current password. This is a security measure to prevent someone from changing your password if they briefly access your terminal. After successfully entering your current password, you will be prompted to enter your new password twice.

The second entry is for verification, to catch any typos. If the two entries match, your password is changed immediately. You will see a confirmation message: “passwd: password updated successfully”.

What Makes a Strong Linux Password?

When choosing a new password, the system will often enforce a password policy. A strong password should:

– Be at least 12 characters long.
– Mix uppercase and lowercase letters.
– Include numbers and special symbols (e.g., !, @, #, $).
– Avoid common dictionary words, personal information, or simple patterns.

If your chosen password is too weak or doesn’t meet the system’s complexity rules, the passwd command will reject it and ask you to try again.

how to change password for user in linux

Changing Another User’s Password as Root or Sudo

System administrators frequently need to change passwords for other users, such as when setting up a new account or helping someone who has forgotten their credentials. This requires elevated privileges.

You must be logged in as the root user or use sudo before the command. The syntax is straightforward:

sudo passwd username

Replace “username” with the actual login name of the user. For example, to change the password for a user named “john”:

sudo passwd john

A crucial difference here: you will not be asked for the user’s current password. As an administrator, you can override it. The command will prompt you directly to enter the new password for the user and then confirm it.

This is the standard method for resetting a forgotten user password. Once you set the new password, inform the user of their new temporary credentials and instruct them to change it immediately after their next login.

Forcing a Password Change on Next Login

After resetting a user’s password, it’s a best practice to force them to choose a new one upon first login. This ensures they are the only person who knows their active password.

You can achieve this by expiring the user’s password. The command to do this is:

sudo passwd --expire username

For example:

sudo passwd --expire john

This command doesn’t change the password hash itself. Instead, it sets a flag in the /etc/shadow file that marks the password as expired. The next time user “john” logs in, the system will accept the password you just set but will immediately force him to choose a new one before granting full access to the shell or desktop.

This is a critical security step for initial account provisioning or password recovery.

Using usermod for Account Locking and Unlocking

Beyond passwd, the usermod command offers additional control. A common related task is locking and unlocking a user account.

To lock an account, preventing any password-based login:

sudo usermod --lock username

To unlock it again:

sudo usermod --unlock username

Locking an account places an exclamation mark (!) at the front of the password hash in /etc/shadow, effectively invalidating it. The user’s other account properties remain intact. This is preferable to deleting an account for a user who is on leave or whose access is temporarily suspended.

how to change password for user in linux

Advanced Scenarios and Troubleshooting

Sometimes, things don’t go as planned. Here are solutions to common issues.

“Permission Denied” Error

If you get a “Permission denied” error when trying to change another user’s password, it means you lack superuser privileges. Ensure you are prefixing the command with sudo and that your user account is in the sudo group. You can check this with the groups command.

Changing Password for a System User

System users (like “www-data” or “mysql”) typically have locked passwords by default, as they are not meant for interactive login. You can still set a password for them using sudo passwd username, but it’s rarely necessary. For service authentication, SSH keys or application-specific configuration is usually preferred.

Bulk Password Changes with a Script

If you need to set the same initial password for multiple new users, you can use a simple shell script. However, for security, it’s better to force a change on first login. A basic script loop looks like this:

for user in user1 user2 user3; do
  echo "Setting temp password for $user"
  echo "$user:NewTempPass123" | sudo chpasswd
  sudo passwd --expire $user
done

This uses chpasswd, a command that reads username:password pairs from standard input. Note that the password is in plain text in the script, so such scripts must be handled and deleted with extreme care.

What to Do If You Forget the Root Password

If you lose the root password, you will need to boot the system into single-user mode or recovery mode. This process is distribution-specific but generally involves interrupting the boot loader (like GRUB), editing the kernel command line to add “single” or “init=/bin/bash”, and booting to a root shell without a password. From there, you can use passwd root to set a new password.

Because this involves physical or virtual console access, it underscores the importance of securing the boot process in addition to user passwords.

Best Practices for Password Management

Changing passwords is just one part of a secure system. Follow these practices:

– Enforce regular password expiration using chage command or editing /etc/login.defs.
– Implement a strong password policy with PAM (Pluggable Authentication Modules) modules like pam_pwquality.
– Where possible, use SSH key-based authentication instead of passwords for server access.
– Consider using a centralized authentication system like LDAP or FreeIPA for large environments.
– Always force a password change after an administrative reset.

Regular audits with commands like sudo chage -l username (to list password aging info) or checking for empty passwords (sudo awk -F: '($2 == "") {print $1}' /etc/shadow) help maintain security.

Your Next Steps for Secure System Administration

You now have a complete toolkit for managing user passwords in Linux. Start by practicing in a safe, non-production environment. Change your own password, then use sudo to create a test user and go through the full cycle: set a password, expire it, and observe the forced change on login.

Explore the manual pages for the commands discussed (man passwd, man usermod, man chage) to discover even more options for fine-tuning account security. Password management is a cornerstone of system integrity, and mastering these commands is a fundamental skill for any Linux user or administrator.

Remember, the goal is not just to change a password, but to do so in a way that maintains or improves the overall security posture of your system. With the methods outlined here, you’re well-equipped to handle that responsibility.

Leave a Comment

close