How to change a user password in Linux

The passwd command changes user passwords on Linux. It is one of the most basic system administration tasks, but there are enough variations and edge cases that it is worth covering properly. Changing your own password, changing another user’s password, forcing a password change on next login, setting password expiration policies, and handling locked accounts all use different commands and flags.

This guide covers each scenario with the exact commands you need.

Changing your own password#

passwd

That is it. No arguments needed. Linux prompts you for your current password, then asks for the new password twice:

Changing password for john.
Current password:
New password:
Retype new password:
passwd: password updated successfully

The current password prompt is a security measure. It prevents someone from changing your password if they find your terminal unlocked. If you do not know your current password, you cannot change it this way. You need a user with sudo access to reset it for you (see below).

The new password is not displayed as you type it. This is normal. Linux does not show password characters, not even asterisks.

Password requirements

Most Linux distributions enforce password complexity rules through PAM (Pluggable Authentication Modules). The default configuration on RHEL, Rocky Linux, and CentOS uses pam_pwquality , which requires:

• Minimum 8 characters
• At least one uppercase letter, one lowercase letter, one digit, and one special character (depending on configuration)
• The password must differ from the previous password by a configurable number of characters
• Dictionary words and common patterns are rejected

If your new password is rejected:

BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word

or:

BAD PASSWORD: The password is shorter than 8 characters

Choose a stronger password. These requirements exist to prevent passwords that automated brute force tools can guess quickly. The same kind of credential stuffing attacks that target SSH and WordPress login pages use dictionaries of common passwords, so the complexity requirements directly reduce your attack surface.

On Ubuntu and Debian, the default PAM configuration is less strict. You may be able to set shorter or simpler passwords, but that does not mean you should.

Viewing password requirements

To see what password quality rules are enforced:

grep -v '^#' /etc/security/pwquality.conf | grep -v '^$'

Common settings:

minlen = 8
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1

The credit values control character class requirements. A negative value means that many characters of that type are required. -1 means at least one. dcredit is digits, ucredit is uppercase, lcredit is lowercase, ocredit is other (special characters).

Changing another user's password#

To change another user’s password, you need root access or sudo privileges:

sudo passwd john

This prompts for the new password without asking for john’s current password. Root can set any user’s password without knowing the old one:

New password:
Retype new password:
passwd: password updated successfully

This is the standard way to reset a password for a user who has forgotten theirs. You can verify which users exist on the system before running this command:

getent passwd john

If nothing is returned, the user does not exist.

Setting the password non-interactively

In scripts or automation, you may need to set a password without interactive prompts:

echo "john:newpassword123" | sudo chpasswd

chpasswd reads username:password pairs from standard input. This is useful in provisioning scripts but be aware that the password appears in the command and may be logged in shell history. To avoid this:

sudo chpasswd <<< "john:newpassword123"

Or read from a file:

sudo chpasswd < /tmp/passwords.txt

Where passwords.txt contains lines in username:password format. Delete the file after use.

Setting an encrypted password directly

If you already have a hashed password (from another system or generated by a tool):

sudo usermod -p '$6$rounds=5000$salt$hashedpassword' john

The -p flag accepts a pre-hashed password. The hash must be in the format that /etc/shadow expects. You can generate a hash with:

openssl passwd -6 -salt $(openssl rand -base64 8) 'yourpassword'

The -6 flag generates a SHA-512 hash, which is the current standard on modern Linux distributions.

Forcing a password change on next login#

Sometimes you need to set a temporary password and require the user to change it the first time they log in. This is common when creating new accounts or after a security incident.

sudo passwd john
sudo chage -d 0 john

The first command sets the password. The second command sets the “last password change” date to 0 (January 1, 1970), which tells Linux the password has expired. The next time john logs in via SSH, they are forced to change their password:

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for john.
Current password:
New password:
Retype new password:

The user must enter the temporary password you set as “Current password,” then choose their own new password.

Check current password expiration status

sudo chage -l john

Output:

Last password change                    : Mar 15, 2026
Password expires                        : never
Password inactive                       : never
Account expires                         : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

If “Last password change” shows “password must be changed,” the user will be forced to change their password on next login.

Setting password expiration policies#

Expire after a number of days

sudo chage -M 90 john

This sets the maximum password age to 90 days. After 90 days, john must change his password. The -M flag stands for maximum days.

Set minimum days between changes

sudo chage -m 1 john

This prevents the user from changing their password more than once per day. Without this, a user forced to change their password could immediately change it back to the old one (if the history check allows it). The -m flag stands for minimum days.

Set warning period

sudo chage -W 14 john

This gives the user a warning 14 days before their password expires. Each time they log in during this period, they see:

Warning: your password will expire in 10 days

Set all at once

sudo chage -M 90 -m 1 -W 14 john

Set system-wide defaults

The defaults for new user accounts are configured in /etc/login.defs :

grep -E '^PASS_MAX_DAYS|^PASS_MIN_DAYS|^PASS_WARN_AGE|^PASS_MIN_LEN' /etc/login.defs

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

99999 for PASS_MAX_DAYS effectively means passwords never expire. To change the default for all new users, edit these values. Existing users are not affected. You need to use chage on each existing user individually.

Locking and unlocking accounts#

Lock an account

sudo passwd -l john

This prepends ! to the password hash in /etc/shadow , making the hash invalid without deleting it. The user cannot log in with a password. SSH key authentication still works because it does not use the password.

To fully prevent login including SSH keys, also set the shell to nologin:

sudo usermod -s /usr/sbin/nologin john

Unlock an account

sudo passwd -u john

This removes the ! prefix from the password hash, restoring the original password. If you also changed the shell, restore it:

sudo usermod -s /bin/bash john

Check if an account is locked

sudo passwd -S john

Output:

john L 03/15/2026 0 99999 7 -1

The second field shows the status: P means password is set (active), L means locked, NP means no password set.

SSH passwords vs SSH keys#

Changing a user’s password with passwd changes the password used for password-based SSH authentication. If the user authenticates with SSH keys (which they should), changing the password has no effect on their ability to log in via SSH.

The password is still relevant for:

• sudo  commands (which prompt for the user’s password by default)
• Console login (physical or virtual terminal)
• Password-based SSH login if key authentication is not enforced

For servers exposed to the internet, SSH key authentication is strongly recommended over passwords. Keys cannot be brute-forced the way passwords can, and they do not trigger fail2ban bans from failed attempts. See How to set up passwordless SSH login for the complete setup.

If you want to disable password authentication entirely and require keys:

sudo grep -n 'PasswordAuthentication' /etc/ssh/sshd_config

Set PasswordAuthentication no and restart sshd:

sudo systemctl restart sshd

After this, only users with authorized SSH keys can log in. Make sure your key is working before disabling password authentication, or you will lock yourself out.

On Hostney, SSH access uses key-based authentication only. Password authentication is not available. You manage your SSH keys through the control panel under SSH Keys.

Changing the root password#

sudo passwd root

On Ubuntu, the root account is disabled by default (no password is set, and direct root login is blocked). Administration is done through sudo . Setting a root password on Ubuntu enables the root account, which is generally not recommended. Use sudo instead.

On RHEL, Rocky Linux, and CentOS, the root account is active and has a password set during installation. Change it with sudo passwd root or by logging in as root and running passwd .

Common errors#

passwd: Authentication token manipulation error

This usually means:

• The  /etc/shadow  file is read-only (filesystem mounted read-only, or immutable attribute set)
• The PAM configuration is broken
• The disk is full and the shadow file cannot be written

Check with:

mount | grep ' / '  # Check if root filesystem is read-only
df -h /             # Check disk space
lsattr /etc/shadow  # Check for immutable attribute

passwd: password unchanged

You entered the same password as the current one. Choose a different password.

passwd: Have exhausted maximum number of retries

You failed to enter a valid new password three times. Run passwd again and enter a password that meets the complexity requirements.

Quick reference#

# Change your own password
passwd

# Change another user's password (requires sudo)
sudo passwd username

# Force password change on next login
sudo chage -d 0 username

# Set password expiration to 90 days
sudo chage -M 90 username

# Check password status and expiration
sudo chage -l username

# Lock an account
sudo passwd -l username

# Unlock an account
sudo passwd -u username

# Check if account is locked
sudo passwd -S username

# Set password non-interactively
echo "username:newpassword" | sudo chpasswd

# View password quality requirements
grep -v '^#' /etc/security/pwquality.conf | grep -v '^$'

# Change root password
sudo passwd root