How to Force Users to Change Password on Their Next Login on Linux

When creating a user account with the default password, you will need to force the user’s to change their password on the next login.

You should enable this if the system is not integrated with the Active Directory (AD).

If yes, you don’t need to worry about this because they need to use AD login details to access the system.

This option is mandatory when you are working in an organization because other employees may know the default password and they may attempt to malpractices.

This is a security complaint, so be sure to take proper care of it regularly.

Most users are lazy and will not change their password unless you force them to do so.

For security reasons you will need to change your password frequently, or at least once a month.

Make sure you use a strong password (combination of upper and lower case letters, numbers and special characters). It should be at least 10-15 characters long.

We run a shell script to create a user account on the Linux server when the bulk request is received, which automatically adds the password for the user, along with a real username that has some numeric value.

You can achieve this using the two methods below.

  • passwd command
  • chage command

Method-1: How to Force Users to Change Password on Their Next Login on Linux Using the passwd Command

The passwd command stands for password. It updates the user’s authentication tokens. The password command is used to set or change/modify the password.

Normal users are only allowed to change their own account password, but Superuser can change the password for any account.

In addition, you may use additional options that allow you to perform other functions such as deleting a password for the user, locking/unlocking a user account, and setting a password expiration for a given user account.

This can be done on Linux by calling Linux-PAM and the Libuser API.

When you create a user on Linux, users’ details are stored in the /etc/passwd file. Each user profile in the password file is a single line with seven fields.

The information about encrypted users’ passwords and other passwords is stored in the /etc/shadow file.

When creating new users on a Linux system it will be updated in the below four files.

  • /etc/passwd: User details will be updated in this file.
  • /etc/shadow: User password info will be updated in this file.
  • /etc/group: Group details will be updated of the new user in this file.
  • /etc/gshadow: Group password info will be updated of the new user in the file.

You can force a user to change the password on their next login on Linux using the passwd command with the -e option.

How to do this with the passwd Command?

To test this, let’s create a new user account and see how it works. We are going to create a new user account named magesh.

# useradd -c "2g Admin - Magesh M" magesh && passwd magesh
Changing password for user magesh.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

You can expire the password for the given user account by executing the command below. The user will be forced to change the password during the next login attempt.

# passwd -e magesh
Expiring password for user magesh.
passwd: Success

This prompts me to set a new password when I first try to log in to the system.

login as: magesh
magesh@localhost's password:
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user magesh.
Changing password for magesh.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to localhost closed.

Method-2: How to Force Users to Change Password on Their Next Login on Linux Using the chage Command

chage stands for change age. It changes user password expiration information.

The chage command changes the number of days between password changes and the date of the last password change.

This information is used by the system to determine when a user should change his/her password.

It allows the user to perform other functions such as setting the account expiration date, setting the password inactive after the expiration, displaying account aging information, setting minimum and maximum days before password change, and setting expiry warning days.

How To Achieve this with the chage Command

You can force a user to change the password on their next login on Linux using the chage command with the -d option.

To test this, let’s create a new user account and see how it works. We are going to create a new user account called thanu.

# useradd -c "2g Editor - Thanisha M" thanu && passwd thanu
Changing password for user thanu.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

To achieve this, set the date of the user’s last password change to “0” with the chage command.

# chage -d 0 thanu

# chage -l thanu
Last password change                                    : Mar  6, 2020
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

This prompts me to set a new password when I first try to log in to the system.

login as: thanu
thanu@localhost's password:
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user thanu.
Changing password for thanu.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to localhost closed.

About Prakash Subramanian

Prakash Subramanian is a Linux lover and has 3.5+ years of experience in linux server administration with major Linux distribution such as (RHEL, CentOS, Ubuntu). He is currently working as a Senior L2 Linux Server administrator.

View all posts by Prakash Subramanian

2 Comments on “How to Force Users to Change Password on Their Next Login on Linux”

  1. What if we need to expires hundred users to reset their passwords on next login?
    Because passwd -e user.name command will expire one user and for this command we need to provide a password to user so he can use this temp password to reset his / her new password at their first login.

    Please assist, thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *