Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PASSWD(1)			User utilities			     PASSWD(1)

       passwd -	update a user's	authentication tokens(s)

       passwd [-k] [-l]	[-u [-f]] [-d] [-n mindays] [-x	maxdays] [-w warndays]
       [-i inactivedays] [-S] [username]

       Passwd is used to update	a user's authentication	token(s).

       Passwd is configured to work through the	Linux-PAM  API.	  Essentially,
       it initializes itself as	a "passwd" service with	Linux-PAM and utilizes
       configured password modules to authenticate and then  update  a	user's

       A  simple  entry	 in  the Linux-PAM configuration file for this service
       would be:

	# passwd service entry that does strength checking of
	# a proposed password before updating it.
	passwd password	requisite \
		    /usr/lib/security/ retry=3
	passwd password	required \
		    /usr/lib/security/ use_authtok

       Note, other module-types	are not	required for this application to func-
       tion correctly.

       -k     The  option, -k, is used to indicate that	the update should only
	      be for  expired  authentication  tokens  (passwords);  the  user
	      wishes to	keep their non-expired tokens as before.

       -l     This  option  is	used  to  lock the specified account and it is
	      available	to root	only. The locking is  performed	 by  rendering
	      the  encrypted password into an invalid string (by prefixing the
	      encrypted	string with an !).

	      This option is used to indicate that passwd should read the  new
	      password from standard input, which can be a pipe.

       -u     This  is	the  reverse  of  the  -l  option - it will unlock the
	      account password by removing the ! prefix. This option is	avail-
	      able  to	root  only.  By	default	passwd will refuse to create a
	      passwordless account (it will not	unlock	an  account  that  has
	      only  "!"	as a password).	The force option -f will override this

       -d     This is a	quick way to disable a password	 for  an  account.  It
	      will set the named account passwordless. Available to root only.

       -n     This will	set the	minimum	password lifetime,  in	days,  if  the
	      user's  account  supports	password lifetimes.  Available to root

       -x     This will	set the	maximum	password lifetime,  in	days,  if  the
	      user's  account  supports	password lifetimes.  Available to root

       -w     This will	set the	number of days in advance the user will	 begin
	      receiving	 warnings that her password will expire, if the	user's
	      account supports password	lifetimes.  Available to root only.

       -i     This will	set the	number of  days	 which	will  pass  before  an
	      expired password for this	account	will be	taken to mean that the
	      account is inactive  and	should	be  disabled,  if  the	user's
	      account supports password	lifetimes.  Available to root only.

       -S     This  will  output  a  short information about the status	of the
	      password for a given account. Available to root user only.

Remember the following two principles
       Protect your password.
	      Don't write down your password - memorize	 it.   In  particular,
	      don't write it down and leave it anywhere, and don't place it in
	      an unencrypted file!  Use	unrelated passwords for	 systems  con-
	      trolled  by  different  organizations.  Don't give or share your
	      password,	in particular to someone claiming to be	from  computer
	      support  or  a  vendor.	Don't  let anyone watch	you enter your
	      password.	 Don't enter your password to  a  computer  you	 don't
	      trust  or	 if  things  Use  the  password	for a limited time and
	      change it	periodically.

       Choose a	hard-to-guess password.
	      passwd will try to prevent you from choosing a really bad	 pass-
	      word,  but  it  isn't  foolproof;	 create	 your password wisely.
	      Don't use	something you'd	find in	a dictionary (in any  language
	      or  jargon).  Don't use a	name (including	that of	a spouse, par-
	      ent, child, pet, fantasy character, famous person, and location)
	      or  any  variation  of your personal or account name.  Don't use
	      accessible information about you (such  as  your	phone  number,
	      license  plate,  or social security number) or your environment.
	      Don't use	a birthday or a	simple	pattern	 (such	as  backwards,
	      followed by a digit, or preceded by a digit. Instead, use	a mix-
	      ture of upper and	lower case letters, as well as digits or punc-
	      tuation.	When choosing a	new password, make sure	it's unrelated
	      to any previous password.	Use long passwords (say	 8  characters
	      long).   You  might use a	word pair with punctuation inserted, a
	      passphrase (an understandable sequence of	words),	or  the	 first
	      letter of	each word in a passphrase.

       These  principles are partially enforced	by the system, but only	partly
       so.  Vigilence on your part will	make the system	much more secure.

       On successful completion	of its task, passwd will  complete  with  exit
       code 0.	An exit	code of	1 indicates an error occurred.	Textual	errors
       are written to the standard error stream.

       Linux-PAM (Pluggable Authentication modules for Linux).
       Note, if	your distribution of Linux-PAM conforms	to the Linux  Filesys-
       tem  Standard,  you  may	 find the modules in /lib/security/ instead of
       /usr/lib/security/, as indicated	in the example.

       /etc/pam.d/passwd - the Linux-PAM configuration file

       None known.

       pam(8), and pam_chauthok(2).

       For more	complete information on	how to configure this application with
       Linux-PAM, see the Linux-PAM System Administrators' Guide at

       Cristian	Gafton <>

Red Hat	Linux			  Jan 03 1998			     PASSWD(1)


Want to link to this manual page? Use this URL:

home | help