How to force users to change their passwords in Linux

Passwords are the cornerstone of account security. We'll show you how to reset passwords, set password expiration periods and enforce password changes on your Linux network.

The password has been around for almost 60 years

We have been proving to computers that we are who we say we are since the mid-1990s. 1960, when the password was first entered. Necessity being the mother of invention, the Compatible timeshare system developed in the Massachusetts Institute of Technology I needed a way to identify different people in the system. I also needed to prevent people from seeing each other's files.

Fernando J. Tie proposed a scheme that assigned a unique username to each person. To prove that someone was who they claimed to be, you had to use a private and personal password to access your account.

The problem with passwords is that they work like a key. Anyone with a key can use it. If someone finds, guess or discover your password, that person can access your account. until multi-factor authentication is universally available, the password is the only thing that keeps unauthorized people (threat actors, in cybersecurity language) out of your system.

Remote connections made by Secure Shell (SSH) can be configured to use SSH keys instead of passwords, And that's great. However, that's just a connection method and doesn't cover local logins.

Clearly, password management is vital, just like managing the people who use those passwords.

RELATED: How to create and install SSH keys from the Linux Shell

The anatomy of a password

In any case, What makes a good password? Well, a good password must have all of the following attributes:

• It is impossible to guess or find out.
• Has not used it anywhere else.
• Has not been involved in a Data leakage.

the They have cheated me? (HIBP) contains more than 10 1 billion sets of credentials violated. With such high figures, someone else has probably used the same password as you. This means that your password could be in the database, although it was not his account that was violated.

If your password is on the HIBP website, this means it is on the threat actors' password lists. brute force and dictionary attack tools they use when trying to open an account.

A truly random password (as 4HW @ HpJDBr% * Wt @ # b ~ aP) is practically invulnerable, but, of course, I would never remember her. We strongly recommend that you use a password manager for online accounts. They generate complex and random passwords for all your online accounts, and you don't need to remember them: password manager provides you with the correct password.

For local accounts, each person must generate their own password. They will also need to know what is an acceptable password and what is not.. They will have to tell them not to reuse passwords on other accounts, and so on.

This information is usually in an organization's Password Policy. Instruct people to use a minimum number of characters, mix uppercase and lowercase letters, include symbols and punctuation, etc.

However, in accordance with a new roler of a team in Carnegie mellon University, All of these tricks add little or nothing to the strength of a password. The researchers found that the two key factors for password strength are that they have at least 12 characters long and strong enough. They measured the strength of passwords using a series of programs to crack software, statistical techniques and neural networks.

A minimum of 12 characters may seem overwhelming at first. However, don't think in terms of a password, but a passphrase of three or four unrelated words separated by punctuation.

For example, the Expert password checker said it would take 42 minutes to break “chicago99”, but 400 billion years to break “fireplace.purple.bag”. It is also easy to remember and write, and contains only 18 characters.

RELATED: Why you should use a password manager and how to get started

Review of current configuration

Before changing anything that has to do with a person's password, it is wise to take a look at your current configuration. With the passwd command, you can check your current settings with his -S option (state). Note that you will also have to use sudo with passwd if you are working with someone else's password settings.

We write the following:

sudo passwd -S mary

A single line of information is printed in the terminal window, as it's shown in the following.

You will see the following information (from left to right) in that short reply:

• The person's login name.
• One of the following three possible indicators appears here:
  • PAG: Indicates that the account has a valid and functional password.
  • L: It means that the account has been locked by the owner of the root account.
  • PUBLIC NOTARY: No password has been set.
• The date the password was last changed.
• Minimum password age: The minimum period of time (in days) what should elapse between password resets performed by the account owner. However, the owner of the root account can always change anyone's password. If this value is 0 (zero), no restriction on the frequency of password changes.
• Maximum password age: The account owner is asked to change his password when he reaches this age. This value is given in days, so a value of 99,999 means the password never expires.
• Password change warning period: If a maximum password age applies, the account owner will receive reminders to change their password. The first one will be sent the number of days shown here before the reset date.
• Password inactivity period: If someone does not access the system for a period of time that overlaps the deadline for resetting the password, this person's password will not be changed. This value indicates how many days the grace period follows the password expiration date. If the account remains inactive this number of days after a password expires, The account is locked. A value of -1 disable grace period.

Set a maximum password age

To set a password reset period, you can use the -x (maximum days) option with a number of days. You don't leave a space between -x and the digits, so I would write it as follows:

sudo passwd -x45 mary

We are told that the expiration value has changed, as it's shown in the following.

Use the -S (state) to check that the value is now 45:

sudo passwd -S mary

Now, on 45 days, a new password must be set for this account. Reminders will start seven days prior to that. If a new password is not set in time, this account will be blocked immediately.

Applying an immediate password change

You can also use a command so that others on your network have to change their passwords the next time they log in.. To do this, must use the -e (expire) option, as follows:

sudo passwd -e mary

Then we are told that the password expiration information has changed.

Let's check with the -S option and see what happened:

sudo passwd -S mary

The date of the last password change is set to the first day of 1970. The next time this person tries to log in, you will have to change your password. They must also provide their current password before they can enter a new one..

Should I enforce password changes?

Forcing people to change their passwords regularly used to be common sense. It was one of the routine security steps for most facilities and was considered good business practice.

Thought now is the opposite pole. In the United Kingdom, National Cyber ​​Security Center strongly advises against the application of periodic password renewals, and the National Institute of Standards and Technology in the United States agrees. Both organizations recommend enforcing a password change only if you know or suspect that an existing one is known by others.

Forcing people to change their passwords gets monotonous and encourages weak passwords. People usually start reusing a base password with a date or other number tagged. Or they will write them down because they have to change them so often that they can't remember them.

The two organizations we mentioned above recommend the following guidelines for password security:

• Use a password manager: For local and online accounts.
• Enable two-factor authentication: Whenever it's an option, úsela.
• Use a strong passphrase: An excellent alternative for those accounts that do not work with a password manager. Three or more words separated by punctuation marks or symbols is a good template to follow.
• Never reuse a password: Avoid using the same password you use for another account, and definitely don't use one that appears in They have cheated me?.

The tips above will allow you to establish a secure means of accessing your accounts. Once you have these guidelines in place, fulfill them. Why change your password if it is strong and secure? If it falls into the wrong hands, or suspect that he has, can change it.

Sometimes, However, this decision is out of your hands. If the powers that apply to the password change, does not have many options. You can defend your case and make your position known, but unless it's the boss, you will have to follow company policy.

RELATED: Should you change your passwords regularly?

The chage command

You can use the chage command to change settings related to password expiration. This command is named after “change aging”. It's like the passwd command with password creation items removed.

the -l The option (ready) presents the same information as the passwd -S command, but in a friendlier way.

We write the following:

sudo chage -l eric

Another nice touch is that you can set an account expiration date using the -E (expiration) option. We will pass a date (in the format year-month-date) to set an expiration date for the 30 November 2020. On that date, the account will be locked.

We write the following:

sudo chage eric -E 2020-11-30

Then, We wrote the following to make sure this change was made:

sudo chage -l eric

We see that the account expiration date has changed from “never” al 30 November 2020.

To set a password expiration period, you can use the -M (maximum days), along with the maximum number of days a password can be used before it needs to be changed.

We write the following:

sudo chage -M 45 mary

We write the following, using the -l (ready) option, to see the effect of our command:

sudo chage -l mary

Password expiration date is now set to 45 days from the date we set it, what, as shown, will be the 8 from December to 2020.

Make password changes for everyone on a network

When accounts are created, a set of default values ​​is used for passwords. You can define what are the default values ​​for the minimum days, maximum and warning. Later, these are saved in a file called “/etc/login.defs”.

You can type the following to open this file in gedit:

sudo gedit /etc/login.defs

Scroll down to password age controls.

You can edit them to suit your needs, save the changes and then close the editor. The next time you create a user account, these defaults will apply.

If you want to change all password expiration dates for existing user accounts, you can easily do it with a script. Just type the following to open the gedit editor and create a file named “password-date.sh”:

sudo gedit password-date.sh

Then, copy the following text into your editor, save the file and then close gedit:

#!/bin/bash

reset_days=28

for username in $(ls / home)
do
  sudo chage $username -M $reset_days
  echo $username password expiry changed to $reset_days
done

This will change the maximum number of days for each user account to 28 Y, Thus, password reset frequency. You can adjust the value of reset_days variable to suit.

First, we write the following so that our script is executable:

chmod +x password-date.sh

Now, we can write the following to run our script:

sudo ./password-date.sh

Later, each account is processed, as it's shown in the following.

We write the following to verify the account of “mary”:

sudo change -l mary

The maximum value of days has been set to 28, and we are told that the 21 November 2020. You can also easily modify the script and add more chage O passwd commands.

---

Password management is something to be taken seriously. Now, you have the tools you need to take control.