Overview
The passwd command is used to change, set, or manage user account passwords. While standard users can only change their own passwords, system administrators (root) have the authority to set or change passwords for all users. Additionally, administrators can perform advanced security management tasks, such as setting password expiration dates, locking accounts, or removing passwords entirely to allow password-less access.
Specifications (Arguments and Options)
Syntax
BASH
passwd [options] [username]
Main Options
| Option | Description |
| -d, –delete | Deletes the password, potentially allowing login without one (depends on configuration). |
| -e, –expire | Immediately expires the password, forcing the user to change it upon the next login. |
| -i [days], –inactive | Sets the number of days after a password expires before the account is completely disabled. |
| -S, –status | Displays the account’s password status (locked/unlocked, encryption method, dates, etc.). |
| -w [days], –warning | Sets the number of days before expiration to start warning the user. |
| -x [days], –maxdays | Sets the maximum number of days a password remains valid (expiration period). |
Basic Usage
The following examples demonstrate how a standard user changes their own password and how an administrator changes a password for a specific user.
BASH
# Standard user changing their own password (current password required)
passwd
# Root user changing their own password
sudo passwd
# Administrator forcing a password change for user 'mori' (current password not required)
sudo passwd mori
Example Output (Changing another user’s password)
Changing password for user mori.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Practical Commands
Deleting a Password (Disabling) and Checking Status
This operation removes the password for a specific user, creating a state where no password is required for login (or preventing login, depending on PAM settings). You can also verify the status of the account.
BASH
# Delete the password for user 'mori'
sudo passwd -d mori
# Check the status
sudo passwd -S mori
Example Output (-S flag)
mori NP 2026-01-26 0 99999 7 -1 (Password set, no password required.)
Note: Status codes include NP (No Password) and PS (Password Set).
Forcing a Password Change on Next Login
This is useful when an administrator sets a temporary password for a new account and wants the user to define their own password immediately. Using the -e option marks the current password as expired instantly.
BASH
# Expire the password for user 'mori'
sudo passwd -e mori
Example Output (During ‘mori’s next login)
login: mori
Password:
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Current password:
New password:
Retype new password:
Customization
Automation with Pipes
When setting passwords within a script, you may use pipes to avoid the interactive prompt. Note that this carries security risks as the password may appear in command history.
BASH
echo "mori:NewPassword123" | sudo chpasswd
Or, if supported by your distribution:
BASH
echo "NewPassword123" | sudo passwd --stdin mori
Important Notes
Password Policy
System settings (such as /etc/login.defs or PAM configurations) may reject passwords that are too short or contain dictionary words. While executing with root privileges often allows you to override these checks, standard users must strictly adhere to the complexity rules when changing their passwords.
Difference Between Locking and Deleting
The -d (delete) option makes the password “empty.” This is different from “locking” an account (preventing login), which is done using usermod -L or passwd -l. If the system is not configured to allow empty passwords, executing -d may inadvertently result in the user being unable to log in at all.
Summary
The passwd command is not just a tool for changing passwords; it is a critical management utility for enforcing system security policies through expiration dates and warning periods. In particular, the -e option (force change) is an essential feature for managing initial passwords, and every administrator should master its use.
