If you’re managing a Linux system, one of the tasks you may have to do is manage the settings passwords for user accounts. As part of this process, you will likely need to manage the settings for both existing and new accounts.
Managing the password settings for existing accounts is done through the “passwd” command, although there are other alternatives. You can set default settings for accounts that will be created in the future, however, saving you from manually changing defaults for each new account.
The settings are configured in the config file “/etc/login.defs”. As the file is located in the “/etc” directory, it will require root permissions to edit. To avoid any issues where you make changes then can’t save them because you don’t have permissions, make sure that you launch your preferred text editor with sudo.
The section you want is near the middle of the file and is titled “Password aging controls”. In it are three settings, “PASS_MAX_DAYS”, “PASS_MIN_DAYS”, and “PASS_WARN_AGE”. Respectively these are used to set how many days a password can be valid for before needing to be reset, how soon after one password change another can be made, and how many days warning a user gets before their password is expired.
“PASS_MAX_DAYS” defaults to 99999 which is used to indicate that passwords should not automatically expire. “PASS_MIN_DAYS” defaults to 0 which means that users can change their password as often as they like.
Tip: A minimum limit on password age is normally combined with a password history mechanism in order to prevent users from changing their password and then immediately changing it back to what it used to be.
“PASS_WARN_AGE” defaults to seven days. This value is only used if a user’s password is actually configured to expire.
How to configure the default password aging settings for new accounts
If you want to configure these values so that passwords are automatically expired every 90 days, a minimum age of one day is applied, and users are warned 14 days before they expire you should set the values “90”, “1”, and “14” respectively. Once you’ve made the changes you want, save the file. Any new accounts that are created after you update the file will have the settings you configured applied to it by default.
Note: Unless mandated by policies, you should avoid configuring passwords to automatically expire over time. The NCSC, NIST, and the wider cybersecurity community now recommend that passwords are only expired when there is reasonable suspicion that they have been compromised. This is due to research that has shown that regular mandatory password resets actively push users towards choosing weaker and more formulaic passwords that are easier to guess. When users are not forced to regularly make and remember a new password, they’re better at creating longer, more complex, and generally stronger passwords.
