Aug 052015
 

How to Set Password Aging on CentOS 7In this age of relentless online attacks by criminals, forcing password changes upon users is a must adopt security policy.

As any seasoned Linux system administrator will tell you, only idiots don’t implement password aging.

The concept of setting timelines for password validity is known as password aging.

The key advantage of password aging (forcing password changes) is that even if a password is cracked or stolen, its value to criminals is only for a short window of time.

In a sign of its importance, some US banks are already enforcing password changes for its customers at periodic intervals (90 days, 120 days or 180 days, depending on the bank).

Password Aging on CentOS 7

In this post, we’ll examine how to set up password aging on CentOS 7 and Red Hat Enterprise Linux 7.

Let’s first look at a hypothetical user Jason without any password aging set up.

We’ll use the chage -l user_name command to check Jason’s current password aging setting.

$ sudo chage -l jason
Last password change					: Aug 05, 2015
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

We note from the results (above) that for all practical purposes Jason’s password never expires since the maximum number of days between password change is set at a high 99,999 days (273 years).

Now let’s set password aging for Jason so that he’ll be compelled to change his password when it expires.

In the below example, we’re setting Jason’s password to expire in 80 days.

Linux system administrators usually set password expiration for 90 days but we’ll go with 80 days in the following example.

$ sudo chage -M 80 jason

Now let’s check Jason’s account aging information via the chage -l check aging setting command.

As we see below, Jason’s password is now set to expire on October 24, 2015, i.e. in 80-days.

$ sudo chage -l jason
Last password change					: Aug 05, 2015
Password expires					: Oct 24, 2015
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 80
Number of days of warning before password expires	: 7

We see above that Jason’s password now expires on October 24, 2015 because of the changes we made via the chage -M days user command.

If you want to disable password expiration, use the CentOS 7 default value of 99999 (which works out to 273 years).

Force Immediate Password Expiration

We can also use the chage command to force immediate expiration of an user’s password.

$ sudo chage -d 0 user_name

Let’s now force our hypothetical user Jason’s password to expire immediately.

$ sudo chage -d 0 jason

Let’s see what’s happened as the result of our above change.

$ sudo chage -l jason
Last password change					: password must be changed
Password expires					: password must be changed
Password inactive					: password must be changed
Account expires						: Oct 24, 2015
Minimum number of days between password change		: 10
Maximum number of days between password change		: 80
Number of days of warning before password expires	: 15

As we see above, Jason’s password has expuired because the Linux administrator forced it to expire immediately.

While the default number of days of warning before password expires is seven, you can change it with chage -W days user_name command.

$ sudo chage -W 15 jason

Let’s again check the password aging setting for Jason.

$ sudo chage -l jason
Last password change					: Aug 05, 2015
Password expires					: Oct 24, 2015
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 80
Number of days of warning before password expires	: 15

Create Fresh Password

Once a password has expired, it’s easy to create a new one via the following command.

$ sudo passwd jason
Changing password for user jason.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Not enforcing password aging for users in these perilous times is utter folly and would cost an organization heavily sooner or later.

Sorry, the comment form is closed at this time.