Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PASSWD(1)			User utilities			     PASSWD(1)

       passwd -	update a user's	authentication tokens(s)

       passwd [-k] [-l]	[-u [-f]] [-d] [-n mindays] [-x	maxdays] [-w warndays]
       [-i inactivedays] [-S] [username]

       Passwd is used to update	a user's authentication	token(s).

       Passwd is configured to work through the	Linux-PAM  API.	  Essentially,
       it initializes itself as	a "passwd" service with	Linux-PAM and utilizes
       configured password modules to authenticate and then  update  a	user's

       A  simple  entry	 in  the Linux-PAM configuration file for this service
       would be:

	# passwd service entry that does strength checking of
	# a proposed password before updating it.
	passwd password	requisite \
		    /usr/lib/security/ retry=3
	passwd password	required \
		    /usr/lib/security/ use_authtok

       Note, other module-types	are not	required for this application to func-
       tion correctly.

       -k     The  option, -k, is used to indicate that	the update should only
	      be for  expired  authentication  tokens  (passwords);  the  user
	      wishes to	keep their non-expired tokens as before.

       -l     This  option  is	used  to  lock the specified account and it is
	      available	to root	only. The locking is  performed	 by  rendering
	      the  encrypted password into an invalid string (by prefixing the
	      encrypted	string with an !).

	      This option is used to indicate that passwd should read the  new
	      password from standard input, which can be a pipe.

       -u     This  is	the  reverse of	the -l option -	it will	unlock the ac-
	      count password by	removing the ! prefix. This option  is	avail-
	      able  to	root  only.  By	default	passwd will refuse to create a
	      passwordless account (it will not	unlock	an  account  that  has
	      only  "!"	as a password).	The force option -f will override this

       -d     This is a	quick way to disable a password	 for  an  account.  It
	      will set the named account passwordless. Available to root only.

       -n     This  will  set  the  minimum password lifetime, in days,	if the
	      user's account supports password lifetimes.  Available  to  root

       -x     This  will  set  the  maximum password lifetime, in days,	if the
	      user's account supports password lifetimes.  Available  to  root

       -w     This  will set the number	of days	in advance the user will begin
	      receiving	warnings that her password will	expire,	if the	user's
	      account supports password	lifetimes.  Available to root only.

       -i     This  will  set the number of days which will pass before	an ex-
	      pired password for this account will be taken to mean  that  the
	      account  is  inactive  and should	be disabled, if	the user's ac-
	      count supports password lifetimes.  Available to root only.

       -S     This will	output a short information about  the  status  of  the
	      password for a given account. Available to root user only.

Remember the following two principles
       Protect your password.
	      Don't  write  down  your password	- memorize it.	In particular,
	      don't write it down and leave it anywhere, and don't place it in
	      an  unencrypted  file!  Use unrelated passwords for systems con-
	      trolled by different organizations.  Don't give  or  share  your
	      password,	 in particular to someone claiming to be from computer
	      support or a vendor.  Don't let  anyone  watch  you  enter  your
	      password.	  Don't	 enter	your  password to a computer you don't
	      trust or if things Use the  password  for	 a  limited  time  and
	      change it	periodically.

       Choose a	hard-to-guess password.
	      passwd  will try to prevent you from choosing a really bad pass-
	      word, but	it  isn't  foolproof;  create  your  password  wisely.
	      Don't  use something you'd find in a dictionary (in any language
	      or jargon).  Don't use a name (including that of a spouse,  par-
	      ent, child, pet, fantasy character, famous person, and location)
	      or any variation of your personal	or account  name.   Don't  use
	      accessible information about you (such as	your phone number, li-
	      cense plate, or social security  number)	or  your  environment.
	      Don't  use  a  birthday  or a simple pattern (such as backwards,
	      followed by a digit, or preceded by a digit. Instead, use	a mix-
	      ture of upper and	lower case letters, as well as digits or punc-
	      tuation.	When choosing a	new password, make sure	it's unrelated
	      to  any  previous	password. Use long passwords (say 8 characters
	      long).  You might	use a word pair	with punctuation  inserted,  a
	      passphrase  (an  understandable sequence of words), or the first
	      letter of	each word in a passphrase.

       These principles	are partially enforced by the system, but only	partly
       so.  Vigilence on your part will	make the system	much more secure.

       On  successful  completion  of its task,	passwd will complete with exit
       code 0.	An exit	code of	1 indicates an error occurred.	Textual	errors
       are written to the standard error stream.

       Linux-PAM (Pluggable Authentication modules for Linux).
       Note,  if your distribution of Linux-PAM	conforms to the	Linux Filesys-
       tem Standard, you may find the modules  in  /lib/security/  instead  of
       /usr/lib/security/, as indicated	in the example.

       /etc/pam.d/passwd - the Linux-PAM configuration file

       None known.

       pam(8), and pam_chauthok(2).

       For more	complete information on	how to configure this application with
       Linux-PAM, see the Linux-PAM System Administrators' Guide at

       Cristian	Gafton <>

Red Hat	Linux			  Jan 03 1998			     PASSWD(1)


Want to link to this manual page? Use this URL:

home | help