After system installation, most Linux® distributions have
relaxed rules regarding how often you must change your password, or how
long you need to wait until you can change it again. This article
provides guidelines for changing password policy rules to strengthen
Cloud Servers stores password policies for new user accounts
in the /etc/login.defs configuration file. This file contains
a couple of useful options:
PASS_MAX_DAYS: Maximum number of days you can use a password.
PASS_MIN_DAYS: Minimum number of days allowed between password changes.
PASS_MIN_LEN: Minimum acceptable password length.
PASS_WARN_AGE: Number of days before a password expires for giving a warning.
By default, Cloud Servers sets these options to the following values:
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
These settings allow you to keep your password almost
forever, change it as many times as you want, and set a
low length limit on the password itself.
The following example shows password policy rules that are more secure than
the default settings:
PASS_MAX_DAYS 60 PASS_MIN_DAYS 5 PASS_MIN_LEN 8 PASS_WARN_AGE 7
These new rules apply to all newly created accounts. Passwords for
these accounts have to be 8 characters long and last only 60 days,
and users cannot change them for 5 days, counted from the
day they set the password. Users also receive a warning 7 days
before the password expires.
Changes in the /etc/login.defs file apply only to accounts that users
create after the changes are implemented; they don't apply to accounts
that already exist.
You can, however, change the same settings on existing accounts by
chage command. For example:
chage <options> <username>
You can also run
chage with only a username, and it opens an interactive mode
for you to adjust the settings for the password policy.
The syntax for this command is as follows:
chage <username>- Runs the command in an interactive mode.
chage -l <username>- Lists current expiration settings for
chage -d <username>- Forces the user to change their password on
chage <options> <username>- Sets the specified settings for
You can use the following options with the
-M- Maximum password age in days.
-m- Minimum password age in days. A value of 0 means that no
minimum age is required.
-W- Password warning period in days, A value of 0 means that
there is no warning period.
-I- Password inactive period in days, which is the number of days
counted from the password expiration date, during which you could
still log in and change your password. After that grace period ends,
the account is inaccessible.
-E- Account expiration date. You can specify the date in many
formats, including epoch. However, user-friendly formats like
"December 31, 2014" work
Updated 26 days ago