Managing password policies
After system installation, most Linux® distributions have
relaxed rules regarding how often you must change your password, or how
long you need to wait until you can change it again. This article
provides guidelines for changing password policy rules to strengthen
password security.
Setting policies for future new user accounts
Cloud Servers stores password policies for new user accounts
in the /etc/login.defs configuration file. This file contains
a couple of useful options:
PASS_MAX_DAYS
: Maximum number of days you can use a password.PASS_MIN_DAYS
: Minimum number of days allowed between password changes.PASS_MIN_LEN
: Minimum acceptable password length.PASS_WARN_AGE
: Number of days before a password expires for giving a warning.
By default, Cloud Servers sets these options to the following values:
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
These settings allow you to keep your password almost
forever, change it as many times as you want, and set a
low length limit on the password itself.
The following example shows password policy rules that are more secure than
the default settings:
PASS_MAX_DAYS 60 PASS_MIN_DAYS 5 PASS_MIN_LEN 8 PASS_WARN_AGE 7
These new rules apply to all newly created accounts. Passwords for
these accounts have to be 8 characters long and last only 60 days,
and users cannot change them for 5 days, counted from the
day they set the password. Users also receive a warning 7 days
before the password expires.
Setting policies for existing user accounts
Changes in the /etc/login.defs file apply only to accounts that users
create after the changes are implemented; they don't apply to accounts
that already exist.
You can, however, change the same settings on existing accounts by
using the chage
command. For example:
chage <options> <username>
You can also run chage
with only a username, and it opens an interactive mode
for you to adjust the settings for the password policy.
The syntax for this command is as follows:
chage <username>
- Runs the command in an interactive mode.chage -l <username>
- Lists current expiration settings for
the account.chage -d <username>
- Forces the user to change their password on
next login.chage <options> <username>
- Sets the specified settings for
the account.
You can use the following options with the chage
command:
-M
- Maximum password age in days.-m
- Minimum password age in days. A value of 0 means that no
minimum age is required.-W
- Password warning period in days, A value of 0 means that
there is no warning period.-I
- Password inactive period in days, which is the number of days
counted from the password expiration date, during which you could
still log in and change your password. After that grace period ends,
the account is inaccessible.-E
- Account expiration date. You can specify the date in many
formats, including epoch. However, user-friendly formats like
"December 31, 2014" work
Updated 12 months ago