Managing Password Expiration Policies for Linux Users

Core Management Tool: <span>chage</span> Command

<span>chage</span> (change age) is a command specifically used to modify user password and account expiration information. It provides more granular control than the <span>passwd</span> command.

1. View Current Password Policy

To view the current password expiration settings for a user (for example, user <span>zhangsan</span>), use the <span>-l</span> option:

sudo chage -l zhangsan

Example output:

Last password change                                    : Aug 15, 2024
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

Meaning of Each Field:

  • Last password change: The date when the password was last changed.
  • Password expires: The date when the password expires. “never” means it never expires.
  • Password inactive: The grace period after the password expires during which the user can still log in; after this period, the account will be locked. “never” means no limit.
  • Account expires: The absolute date when the account itself expires. “never” means the account never expires.
  • Minimum number of days…: The minimum number of days that must pass between password changes (setting it to 0 means the password can be changed at any time).
  • Maximum number of days…: The maximum number of days the password remains valid (i.e., the password validity period).
  • Number of days of warning…: The number of days before the password expires that the user will start receiving warnings.

2. Set Password Policy (Common Options)

All the following commands require <span>root</span> privileges or use of <span>sudo</span>.

Option Meaning Example and Explanation
<span>-m days</span> Set the minimum password change interval <span>sudo chage -m 7 zhangsan</span> sets the user to wait 7 days before changing the password again.
<span>-M days</span> Set the maximum password validity period <span>sudo chage -M 90 zhangsan</span> sets the password to expire after 90 days. This is one of the most important security policies.
<span>-W days</span> Set the expiration warning days <span>sudo chage -W 7 zhangsan</span> starts reminding the user 7 days before the password expires.
<span>-I days</span> Set the grace period after password expiration <span>sudo chage -I 5 zhangsan</span> gives the user 5 days to log in and change the password after expiration, after which the account is locked.
<span>-E date</span> Set the account expiration absolute date <span>sudo chage -E 2024-12-31 zhangsan</span> sets the account to expire at the end of 2024. The date format is YYYY-MM-DD, or use <span>-1</span> to indicate it never expires.
<span>-d date</span> Force set the last password change time <span>sudo chage -d 2024-08-01 zhangsan</span> is usually used to force the user’s password to expire immediately (<span>-d 0</span>).

3. Interactive Setting Mode

Using <span>chage</span> without any options will enter interactive mode, where the system will prompt you step by step to enter each parameter, which is very suitable for first-time setups.

sudo chage zhangsan

4. Important Example Scenarios

Scenario 1: Setting Standard Security Policies for New Employees

“Password must be changed every 90 days, cannot be changed again within 7 days after changing, warning starts 7 days before expiration, account is immediately locked after expiration.”

sudo chage -m 7 -M 90 -W 7 -I 0 zhangsan

Scenario 2: Forcing Users to Change Password on Next Login

This is very useful after creating a new user or resetting a user’s password.

# Method 1: Using passwd
sudo passwd --expire zhangsan

# Method 2: Using chage to set the last change date to 1970-1-1 (epoch)
sudo chage -d 0 zhangsan

On the next login, the system will force the user to set a new password.

Scenario 3: Setting a Temporary Account

“Create a temporary intern account, password expires after 30 days, and the entire account automatically becomes invalid after 3 months.”

sudo useradd intern
sudo passwd intern # Set initial password
sudo chage -M 30 -E 2024-11-30 intern

5. Global Default Policy: <span>/etc/login.defs</span>

<span>chage</span> modifies the policy for a single user. The default password policy for new users created by the system comes from the <span>/etc/login.defs</span> file.

You can edit this file to modify the global defaults:

sudo vim /etc/login.defs

Find and modify the following parameters (the file contains detailed comments):

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

Note: Modifying <span>/etc/login.defs</span> only affects newly created users, and will not impact existing users. To modify existing users, you still need to use the <span>chage</span> command.

Summary and Best Practices

Policy Item Recommended Value Security Implication
Password Validity Period (<span>-M</span>) 90 or 180 days Enforces regular password changes, reducing the risk of long-term password cracking.
Minimum Change Interval (<span>-m</span>) 1-7 days Prevents users from frequently reverting to old passwords to bypass history checks.
Warning Period (<span>-W</span>) 7 days Gives users ample time to prepare for password changes.
Grace Period (<span>-I</span>) 0 or very short Immediately locks the account after password expiration, preventing unauthorized access.

Important Reminders:

  • • Overly strict policies (such as very short validity periods) may lead to user fatigue and writing down passwords, requiring a balance between security and usability.
  • • For service accounts, it is common to set <span>chage -M 99999 -I -1 -E -1</span> to make them never expire, managed by automation tools.
  • • Regularly auditing user password policies using <span>chage -l</span> is a good security practice.

For example:

chage -M 9999 user

• This command sets the maximum validity period of the specified user's password to 9999 days (about 27 years).

• The -M parameter is followed by the maximum number of days the password remains valid.

• This is a very lenient setting, essentially meaning the password will hardly ever expire.

Leave a Comment