PASSWD(1)                       User utilities                       PASSWD(1)


       passwd - update a user’s authentication tokens(s)


       passwd [-k] [-l] [-u [-f]] [-d] [-n mindays] [-x maxdays] [-w warndays]
       [-i inactivedays] [-S] [--stdin] [username]


       Passwd is used to update a user’s authentication token(s).

       Passwd is configured to work through the Linux-PAM  API.   Essentially,
       it initializes itself as a "passwd" service with Linux-PAM and utilizes
       configured password modules to authenticate and then  update  a  user’s

       A  simple  entry  in  the Linux-PAM configuration file for this service
       would be:

        # passwd service entry that does strength checking of
        # a proposed password before updating it.
        passwd password requisite \
                    /usr/lib/security/ retry=3
        passwd password required \
                    /usr/lib/security/ use_authtok

       Note, other module-types are not required for this application to func-
       tion correctly.


       -k     The  option, -k, is used to indicate that the update should only
              be for  expired  authentication  tokens  (passwords);  the  user
              wishes to keep their non-expired tokens as before.

       -l     This  option  is  used  to  lock the specified account and it is
              available to root only. The locking is  performed  by  rendering
              the  encrypted password into an invalid string (by prefixing the
              encrypted string with an !).

              This option is used to indicate that passwd should read the  new
              password from standard input, which can be a pipe.

       -u     This  is  the  reverse  of  the  -l  option - it will unlock the
              account password by removing the ! prefix. This option is avail-
              able  to  root  only.  By default passwd will refuse to create a
              passwordless account (it will not unlock  an  account  that  has
              only  "!" as a password). The force option -f will override this

       -d     This is a quick way to disable a password  for  an  account.  It
              will set the named account passwordless. Available to root only.

       -n     This will set the minimum password lifetime,  in  days,  if  the
              user’s  account  supports password lifetimes.  Available to root

       -x     This will set the maximum password lifetime,  in  days,  if  the
              user’s  account  supports password lifetimes.  Available to root

       -w     This will set the number of days in advance the user will  begin
              receiving  warnings that her password will expire, if the user’s
              account supports password lifetimes.  Available to root only.

       -i     This will set the number of  days  which  will  pass  before  an
              expired password for this account will be taken to mean that the
              account is inactive  and  should  be  disabled,  if  the  user’s
              account supports password lifetimes.  Available to root only.

       -S     This  will  output  a  short information about the status of the
              password for a given account. Available to root user only.

Remember the following two principles

       Protect your password.
              Don’t write down your password - memorize  it.   In  particular,
              don’t write it down and leave it anywhere, and don’t place it in
              an unencrypted file!  Use unrelated passwords for  systems  con-
              trolled  by  different  organizations.  Don’t give or share your
              password, in particular to someone claiming to be from  computer
              support  or  a  vendor.   Don’t  let anyone watch you enter your
              password.  Don’t enter your password to  a  computer  you  don’t
              trust  or  if  things  Use  the  password for a limited time and
              change it periodically.

       Choose a hard-to-guess password.
              passwd will try to prevent you from choosing a really bad  pass-
              word,  but  it  isn’t  foolproof;  create  your password wisely.
              Don’t use something you’d find in a dictionary (in any  language
              or  jargon).  Don’t use a name (including that of a spouse, par-
              ent, child, pet, fantasy character, famous person, and location)
              or  any  variation  of your personal or account name.  Don’t use
              accessible information about you (such  as  your  phone  number,
              license  plate,  or social security number) or your environment.
              Don’t use a birthday or a simple  pattern  (such  as  backwards,
              followed by a digit, or preceded by a digit. Instead, use a mix-
              ture of upper and lower case letters, as well as digits or punc-
              tuation.  When choosing a new password, make sure it’s unrelated
              to any previous password. Use long passwords (say  8  characters
              long).   You  might use a word pair with punctuation inserted, a
              passphrase (an understandable sequence of words), or  the  first
              letter of each word in a passphrase.

       These  principles are partially enforced by the system, but only partly
       so.  Vigilence on your part will make the system much more secure.


       On successful completion of its task, passwd will  complete  with  exit
       code 0.  An exit code of 1 indicates an error occurred.  Textual errors
       are written to the standard error stream.


       Linux-PAM (Pluggable Authentication modules for Linux).
       Note, if your distribution of Linux-PAM conforms to the Linux  Filesys-
       tem  Standard,  you  may  find the modules in /lib/security/ instead of
       /usr/lib/security/, as indicated in the example.


       /etc/pam.d/passwd - the Linux-PAM configuration file


       None known.


       pam(8), and pam_chauthok(2).

       For more complete information on how to configure this application with
       Linux-PAM, see the Linux-PAM System Administrators Guide at


       Cristian Gafton <>

Red Hat Linux                     Aug 23 2004                        PASSWD(1)

Man(1) output converted with man2html