Managing password policies
Last updated on: 2020-04-08
Authored by: Marcin Stangel
After system installation, most Linux® distributions have relaxed rules regarding how often you must change your password, or how long you need to wait until you can change it again. This article provides guidelines for changing password policy rules to strengthen password security.
Setting policies for future new user accounts
Cloud Servers stores password policies for new user accounts in the /etc/login.defs configuration file. This file contains a couple of useful options:
PASS_MAX_DAYS: Maximum number of days you can use a password.
PASS_MIN_DAYS: Minimum number of days allowed between password changes.
PASS_MIN_LEN: Minimum acceptable password length.
PASS_WARN_AGE: Number of days before a password expires for giving a warning.
By default, Cloud Servers sets these options to the following values:
PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 PASS_MIN_LEN 5 PASS_WARN_AGE 7
These settings allow you to keep your password almost forever, change it as many times as you want, and set a low length limit on the password itself.
The following example shows password policy rules that are more secure than the default settings:
PASS_MAX_DAYS 60 PASS_MIN_DAYS 5 PASS_MIN_LEN 8 PASS_WARN_AGE 7
These new rules apply to all newly created accounts. Passwords for these accounts have to be 8 characters long and last only 60 days, and users cannot change them for 5 days, counted from the day they set the password. Users also receive a warning 7 days before the password expires.
Setting policies for existing user accounts
Changes in the /etc/login.defs file apply only to accounts that users create after the changes are implemented; they don’t apply to accounts that already exist.
You can, however, change the same settings on existing accounts by
chage command. For example:
chage <options> <username>
You can also run
chage with only a username, and it opens an interactive mode
for you to adjust the settings for the password policy.
The syntax for this command is as follows:
chage <username>- Runs the command in an interactive mode.
chage -l <username>- Lists current expiration settings for the account.
chage -d <username>- Forces the user to change their password on next login.
chage <options> <username>- Sets the specified settings for the account.
You can use the following options with the
-M- Maximum password age in days.
-m- Minimum password age in days. A value of 0 means that no minimum age is required.
-W- Password warning period in days, A value of 0 means that there is no warning period.
-I- Password inactive period in days, which is the number of days counted from the password expiration date, during which you could still log in and change your password. After that grace period ends, the account is inaccessible.
-E- Account expiration date. You can specify the date in many formats, including epoch. However, user-friendly formats like “December 31, 2014” work