As a Linux system administrator, one of the most common tasks is managing user accounts. This includes creating new users, deleting old accounts, and updating passwords.

In this comprehensive guide, we will walk through the process in-depth of changing a user‘s password with a single command using the passwd utility.

An Overview of Linux User Accounts

In Linux and other Unix-based operating systems, users are identified by a username and numeric user identifier (UID). Each user has an entry in the /etc/passwd file that defines their account details:

john:x:1010:1010:,,,:/home/john:/bin/bash

This contains fields for:

  • Username
  • Password (x = hashed/encrypted)
  • UID and GID numbers
  • GECOS metadata (optional)
  • Home directory path
  • Default shell

When a user account is created, the passwd command handles generating an encrypted password hash and storing it in /etc/shadow. This file is only readable by the root user for security reasons.

Here is an example /etc/shadow entry after a password is set:

john:$6$rounds=400000$cd5nFDw4SX07CZE3$6Xmr/twlHh1oWjUtItYgHbp6fR/9k0fBCv9ZumEE0Rd.YOrdIvMANXCrpHthFWygCQ0vFIWLV Nam11J69JXyy0:19090:0:99999:7:::

This contains the password hash itself along with additional account policy fields like expiration date and failed login count. The hashing makes passwords unrecoverable and also protects against visibility if shadow file is somehow exposed.

Here is a quick overview of some key points about Linux user accounts:

  • The default administrative user is called root and has full privileges on the system
  • Normal user accounts provide access based on permissions set for files/folders
  • Users can be given sudo privileges to run commands as root temporarily
  • Each user has a home directory for their personal files e.g. /home/username
  • Account details like the UID, shell, and groups are stored in /etc/passwd
  • Encrypted hashes of passwords are kept securely in /etc/shadow

Now let‘s look at how the passwd command allows changing passwords…

Resetting Passwords with the passwd Command

The passwd utility is designed specifically for updating user passwords. It supports various options:

passwd username  
passwd -l username  
passwd -u username
passwd -d username 
passwd -n days username
passwd -w days username
passwd -x days username 
passwd --stdin username

Here is what each main variant allows you to do:

  • passwd username – Change password for user username
  • passwd -l username – Lock/disable account username
  • passwd -u username – Unlock a locked account
  • passwd -d username – Delete password and enable null login
  • passwd -n days username – Set minimum age to days between changes
  • passwd -w days username – Set max age that password is valid for
  • passwd -x days username – Set max days before change is required
  • passwd --stdin username – Provide new passwords via STDIN

These extra options allow custom password policies to be configured per account. We will discuss Linux password settings later on.

Under the hood, passwd re-hashes the user‘s password using the configured algorithm and updates /etc/shadow with the new hash. This is a one-way cryptographic process where the plaintext passwords are never actually stored.

Next let‘s walk step-by-step through the process of changing a user password…

Step-by-Step Guide: Resetting a Linux Password

Changing user credentials with the passwd tool requires just a few quick steps.

Let‘s say we have a user account named john whose password we want to update.

Here is an overview of the complete process:

  1. Open a terminal with su - or sudo to gain root rights
  2. Execute passwd john to change password for user john
  3. Enter the new password when prompted and confirm
  4. Validate login with the updated credentials

Now let‘s examine each step to change passwords in more detail…

1. Gain Administrative Access

First, we need a terminal session with root privileges to use the passwd utility.

Click on the Activities menu and search for "Terminal". Then right click on Terminal and select "Run as Administrator" to launch an elevated shell.

Alternatively, the quickest way is using the Ctrl+Alt+T keyboard shortcut to open a terminal and then type: 

su -

This will use the su (switch user) command to become the root account superuser. Enter the root password when prompted to continue.

Once authenticated as root, we now have full access to make password changes across all local user accounts.

2. Execute the passwd Command for a User

With root access acquired, we can run passwd to reset credentials for any local user account.

The basic syntax is passwd [options] username.

For example, let‘s change the password for the user john. Type the following:

passwd john

This will initiate the password change process for the john account.

3. Set the New Password

After hitting enter, passwd will prompt to enter the new password like so:

Enter new UNIX password:

Type your desired password text and press enter.

Next it will ask you to retype the password again to confirm:

Retype new UNIX password:

The confirmation step helps avoid mistakes from typos or toggling numlock accidentally.

Enter the exact same new password text again and press enter once more to validate.

4. Test Logging in with Updated Credentials

If your new password meets the security requirements, you should now see:

passwd: password updated successfully

To validate the change, open a new terminal session and attempt logging in with the updated credentials:

ssh john@server

Type the user‘s new password at the prompt. If successful, you have confirmed the reset!

And that covers the end-to-end process for changing Linux account passwords using the handy passwd tool. Pretty straightforward right?

Next, let‘s dig deeper into some best practices around Linux password policies…

Examining Password Hashes, Salts and Iterations

When account credentials are changed with passwd, the plaintext password you enter is encrypted using a cryptographic hash before storing in /etc/shadow.

By default most modern Linux distributions utilize the SHA-512 algorithm for secure salted password hashing.

Here is an example breakdown of what one of these hashed password fields contains:

$6$rounds=400000$cd5nFDw4SX07CZE3$Iahc.DFjCSYgHOoYPKAv0FpADJC7CT8bbXTbJtvmmtmnjaneeI0tNkXEB83KT1RGoXxtGlv6bRSeZf4spadZq/
  • $6 – Identifies hashing algorithm (6 = SHA-512)
  • rounds=400000 – Key strengthening iterations
  • cd5nFDw4SX07CZE3 – Random salt value
  • Iahc.DF...adZq/ – Actual password hash

The main cryptographic protections here include:

  1. Key strengthening with iterations – Computing millions of hash iterations significantly slows brute force attempts. The rounds value can be tuned higher as CPU speeds increase.

  2. Unique salts per password – Random salts modify hashes to prevent use of rainbow tables and make attacks specific to each password. Long salts maximize effectiveness.

  3. Secure SHA-512 algorithm – Hashes are stretched over many rounds into an uncrackable format through repeated transformations.

Together these protections make offline attacks extremely difficult even for powerful computers.

Other hash options like SHA-256, SHA-3, and BCRYPT can be selected as well depending on security needs. Now let‘s look at enforcing password policies…

Linux Password Policies and Account Lockout Configs

When changing or setting new account passwords, most Linux systems enforce a standard password policy with complexity requirements.

Password policies help minimize easily guessable passwords by users that put the system security at risk.

Here are some of the common password rules enforced:

Policy Option Typical Setting
Minimum Length 8 characters
Maximum Length 128 characters
Expiration Days 90 days
Password Reuse Limit 5 previous keys
Minimum Different Characters 3 types
Maximum Repeated Characters 2 repeat limit
Minimum Uppercase Letters 1
Minimum Lowercase Letters 1
Minimum Digits 1
Minimum Symbols 1

These kind of complexity requirements prompt users to create longer passwords with multiple character types mixed in.

Accounts can also be locked temporarily after a specified number of incorrect login attempts to prevent brute force password guessing attacks.

Integrating with LDAP, ActiveDirectory, or SSSD allows enforcing centralized policies too.

Overall these standards coupled with hashing mechanisms make password based authentication reasonably secure in Linux environments. But other methods like multifactor authentication provide another layer as well.

Now let‘s switch gears to look at generating strong Linux passwords programmatically…

Generating Secure Random Passwords in Linux Scripts

While human created passwords may meet complexity rules, they are generally limited in overall entropy and randomness.

In contrast, system generated passwords tap into significantly more potential combinations for greater security.

Here is sample code to generate a 20 character fully random password in a Linux script:

#!/bin/bash

# Generate a random 20 character password with digits, upper & lower case letters and symbols  

password=$(tr -dc A-Za-z0-9!"#$%&‘()*+,-./:;<=>?@[\]^_`{|}~ </dev/urandom | head -c 20 | xargs)  

echo "Random Password: $password"

Breaking this down:

  • /dev/urandom provides cryptographically secure random bytes
  • tr -dc filters the character class to permitted password types
  • head -c 20 grabs the first 20 bytes of output
  • xargs consolidates the random bytes into a single word

For root accounts and application services, using longer 30+ character system generated passwords provides maximum security. The downside is they are impossible to remember or transcribe accurately.

This is where a secrets management system like HashiCorp Vault comes in handy. Vault securely stores tokens, keys, and credentials encrypted until time of use then handles injecting them automatically into processes.

With scripting and tools, handling high entropy passwords becomes scalable. Now let‘s examine Linux security more broadly…

Linux vs Windows – Underlying Security Models Compared

While the passwd utility is specific to Linux and Unix based systems, the underlying authentication model differs significantly from Microsoft Windows for example.

Some of the key platform security differences include:

1. Multiuser from the start – Linux was designed from inception for multiple concurrent users with isolated access. Windows evolved from single user roots.

2. Core file permissions – In Linux everything sits on a unified permissions framework enforced at the kernel level.

3. Hashed passwords – Passwords have long been salted and hashed by default in Linux to block plain-text storage.

4. Centralized credentials – Linux typically relies more on LDAP, Kerberos, SSSD, NIS for unified account management.

5. Custom lockout policies – In Linux you can tune password lockouts, timeouts, iterations per system or user.

6. Advanced firewalls – Distributions like CentOS have extremely sophisticated software firewalls like firewalld on by default.

So in many ways Linux offers more layers of underlying security surrounding user authentication out of the box. But increasingly Microsoft has strengthened defaults in Windows as well over releases.

Now let‘s shift gears to discuss monitoring and auditing of password related events…

Auditing Login Access attempts

To track user logins and detect potentially unauthorized access, Linux offers detailed monitoring around authentication events with tools like:

  • journalctl – Centralized logging view consolidated from syslog, kernel messages etc.

  • last – List user login history including remote ssh sessions

  • lastb – Lists bad login attempts and failures

  • faillog – Specifically shows details per user failure metrics

For example, excessive failed logins from an account might indicate a password guessing brute force attack.

Using lastb you can examine patterns as follows:

john     pts/3    server.com    Thu Jul 21 13:56 - 14:22  (00:25)     20+ failed login attempts
nicole   pts/4    117.87.82.121 Thu Jul 21 14:11 - 14:22  (00:10)     34+ failed login attempts

Likewise tracking the remote source IPs with serious failure counts can reveal broader network access attempts that warrant firewall rules.

Getting alerted on unusual authorization patterns allows quick detection and response to contain security incidents. Auditing builds situational awareness.

Now let‘s move on to some industry best practices surrounding account passwords…

Enterprise Password Management Best Practices

For organizations running Linux environments at scale, account security should follow security standards like CIS Benchmarks, NIST 800-53, or ISO 27001 recommendations.

Here is a summary of some best practices for enterprise Linux password management:

  • Enforce automatic expiration every 60-90 days
  • Provide self-service password reset via a protected web portal
  • Implement single sign-on using LDAP or cloud identity providers
  • Utilize SSH keys over password logins where feasible
  • Store and manage credentials securely with a solution like Hashicorp Vault
  • Require multi-factor authentication for admins and privileged access
  • Monitor logs with Security Information & Event Management (SIEM) systems
  • Follow least privilege principles for user permissions
  • Adhere to defined Change Management policies for access recertification

Taking these kinds of precautions organization wide reduces risk across environments at scale.

Integrating Linux authentication with central identity stores and adding secondary factors provides significant protections against account takeovers via stolen credentials.

Summary of Changing Linux Passwords

We covered a ton of valuable ground explaining how the passwd tool allows easy password changes in Linux from the command line.

Here is a high level recap of some of the key topics:

  • User accounts and hashed passwords are stored securely in /etc/shadow
  • The passwd utility enables convenient password resets for admins
  • Use simple passwd <username> syntax to change another user‘s credentials
  • Linux leverages salted password hashes (SHA-512) for cryptography
  • Random passwords provide the greatest entropy and strength
  • Security policies enforce minimum password complexity requirements
  • Monitoring authentication events detects brute force attacks
  • Linux offers hardened multi-user security foundations by design

Being able to reliably reset and manage passwords is an essential skill for any Linux system administrator.

Hopefully this guide provided great depth on all facets of Linux password authentication, hashing, policies, logging, auditing and best practices. Let me know if any additional questions come up!

Related posts:

  1. Mastering the Linux Mount Command: An Advanced Guide
  2. Mastering Piping Command Output to Files in Linux
  3. How to Generate UNIX Timestamps in Linux
  4. Secure and Efficient Directory Transfers in Linux with scp
  5. Bringing a Linux Background Process into the Foreground: An In-Depth Reference
  6. The Definitive Guide to Nethogs for Monitoring Network Traffic
  7. How to Use the IP Command for Network Configuration in Ubuntu
  8. In Linux, How to Find the Size of Directory and Subdirectories?

Similar Posts