One of the things you may have to do if you manage a Linux environment is to ensure that the passwords for user accounts are configured securely. One of the things you may be required to set is a maximum password age. This forces the user to reset their password when the timer expires.
Historically the advice was to reset passwords regularly, generally every 90 days. This advice was designed to restrict the timeframe in which a potentially compromised password could be used. More recently though the advice from government agencies such as NIST and the NCSC, as well as the larger cybersecurity community, has changed to recommend that passwords are never routinely expired.
Research has shown that requiring users to regularly change their passwords applies significant pressure towards users picking weaker and formulaic passwords that are easy to guess. This effect is so prevalent that it actually decreases overall security rather than providing the intended benefit. To resolve this issue, security advice has been changed to only require changing passwords when there is a reasonable suspicion that they have been compromised. By not forcing users to regularly remember a new password, they’re significantly more likely to choose a longer and more secure password in the first place, increasing security.
Unfortunately, many companies, standards, and governments are slow to change their policies even when research and government advice recommends that they do. this means you may still occasionally need to set a password expiry time.
How to set a password to expire
To change the expiry time for passwords on a user account, you need to use the “passwd” command with the “-x” flag. The command will need to be run with sudo as it requires root permissions.
To set a password expiry period of 90 days, the command would be “sudo passwd -x90 [username]”. The number of days you want passwords to be valid for should be listed directly after the “-x” flag, with no spaces.
Note: This command will set the current password to expire 90 days after it was last changed, not 90 days from you running the command. If a user’s password was changed more than 90 days ago they will be required to change it the next time that they log in.
If you’re in a position to remove the password reset requirement, you can remove the maximum age of a password by setting it to 99999 days, with the command “sudo passwd -x99999 [username]”.
