If you manage a Linux machine with multiple users, you may occasionally want or need to get a user to change their password. The most likely cause for this requirement is for a first-time use scenario. Other potential reasons to change a password such as a user forgetting it, the password being compromised, or mandatory regular password cycling, don’t really work with the concept of manual password expiry.
When a Linux password is expired, the user is required to change it the next time that they log in. If a user has forgotten their password, they’ll never be able to sign in to then get to change their password. If a user’s password is compromised it should be changed immediately; expiring it runs the risk that the hacker signs into the account first and can then set the password to any value. If you have a policy of requiring regular password resets, then this should be managed automatically by setting a maximum password age rather than manually expiring passwords.
Note: Ideally you shouldn’t regularly expire passwords anymore, the NCSC and NIST as well as the larger cybersecurity community have changed their public guidance due to research that showed that doing so makes people more likely to choose weak and formulaic passwords. The guidance is now to only make users change passwords when there is a reasonable suspicion that the password has been compromised. By not forcing users to regularly remember new passwords, they are more likely to create and remember a longer, more complex, strong password.
When you first create an account for a user, typically it is created with a temporary password. The user should then change this password to something they can remember the first time that they sign in.
How to force expire a password
To mark a password as “expired” and to force the user to change their password the next time that they log in you want to use the command “passwd” along with the “-e” flag. The “-e” flag immediately expires an accounts password which will force them to change their password the next time that they log in.
The full command would be “sudo passwd -e [username]”. Sudo is required as the command required root permissions to run.Password security is incredibly important, and not just on a Windows machine – be sure to often change your (and other users) passwords, so that nobody can gain unauthorised access to their accounts.