If you’re managing a Linux environment, one of the things that you should be aware of is how users’ passwords work on your system. The default settings are generally ideal, but you may have specific requirements in your environment, such as a legal requirement to reset passwords, for example, regularly. Before you make any sweeping changes to one or more user accounts, though, it’s important to review the current settings.
To do so, you need to use the “passwd” command with the “-S” flag. If you just run the command “passwd -S” you’ll see a list of your account password settings. To view other users’ settings, type “passwd -S [their username]” alternatively, if you want to see the password settings for every user, use the “-a” flag.
Analyzing the Output of the Command
The output will look something like “[username] P 09/07/2020 0 99999 7 -1” as seen in this screenshot.
The first part is always the username of the account. Next, you have a letter which can be “P,” “L,” or “NP.” “P” means the account has a valid password set, “L” means that the account is locked by the root account and can’t be used to log in, “NP” means that a password has not been set.
The third field is a date; this is when the password was last changed. The fourth field is the “minimum password age,” which denotes the amount of time in days that must pass before users can change their password again. A minimum value of 0 means there is no limit and that the user can change their password as often as they want.
The third to last number is the “maximum password age” in days. Once this age has been reached, the user will be required to change their password the next time they log in. A max-age of 99999 days indicates that the password will never expire.
The second to last number indicates the “change warning period” in days. If a max-age is enforced, the user will start getting warnings to change their password this many days before it expires.
The last number is the “inactivity period” in days. A user can only change their password if they log in to the system; if the user does not log in after their password expires, they cannot change it. This value sets how many days the system will wait to lock the user’s account if they don’t sign in. A value of “-1” can disable this functionality and never to lock the account.