index of passwd is a sysadmin reference covering the Linux passwd command for user password lifecycle management, account locking, expiry policies, and shadow-file security. It documents real flags (-e, -l, -S, -x) from shadow-utils 4.13 and their operational impact.
passwd [options] [username]Tested on Ubuntu 22.04 with Linux 5.15.x; verify against vendor docs for non-Debian distributions or older kernels.
How to Choose the Right passwd Options for Your Security Policy
Select passwd flags based on your organization’s password lifecycle policy (NIST SP 800-63B, PCI DSS, or internal standards). The primary considerations are:
- Expiry enforcement: Use
-e(immediate) or-x <days>(scheduled) for compliance with rotation rules. NIST now recommends against mandatory rotation every 90 days; use-x 365unless policy requires shorter intervals. - Account lockout: Use
-l/-ufor temporary disabling. For permanent deactivation, combine withusermod --expiredate 1. - Monitoring cadence: Run
passwd -Saweekly via cron and alert on any account with status L (locked but still active) or NP (passwordless). - Minimum password age: Use
-n <days>to prevent users from cycling back to the same password after a forced change. Set-n 1as a minimum. - Warning period: Use
-w <days>(default 7) to give users advance notice of expiry. This avoids sudden login failures.
Frequent Errors When Managing Passwords with passwd
- Running
passwdwithoutsudofor another user: Non-root users cannot change others’ passwords. Error:passwd: You may not view or modify password information for jdoe.Always prefix withsudoor run as root. - Locking the root account accidentally:
sudo passwd -l rootdisables root password authentication. Ifsudois configured to require root password (rare), you lose admin access. Keep a root shell open during testing. - Using
-dwithout alternative access methods: Deleting a password hash (-d) makes password authentication impossible. If SSH keys are also removed, the account is stranded. Verify key-based access before runningpasswd -d. - Ignoring PAM quality rules:
passwdenforcespam_pwqualitysettings. A password that fails the dictionary check or length minimum (default 8) is rejected. Check/etc/security/pwquality.conffor thresholds. - Assuming
-ldisables all authentication: Locking only affects password-based login. SSH key authentication,sufrom root, and other PAM mechanisms remain active. For full deactivation, useusermod --expiredate 1orchage -E 0.
8 Essential Methods for Managing User Passwords with passwd
1. Change Your Own Password
Every user can rotate their own password without privileges. The command reads the current password for verification, then prompts for the new passphrase twice. It enforces system password quality rules (length, character classes) via pam_pwquality. On success, it rewrites the encrypted hash in /etc/shadow.
passwd
# Prompts: "Current password:", "New password:", "Retype new password:"2. Create or Reset the Root Password
On distributions with no root password set (Ubuntu default), sudo passwd root initializes one. This is also the primary method for root password recovery after booting into single-user mode. Never set a weak root password; use a 16+ character string from a password manager.
sudo passwd root
# Enter new UNIX password:
# Retype new UNIX password:
# passwd: password updated successfully3. Change Another User’s Password
Administrators (root or sudoers) can reset any user’s password without knowing the current one. This bypasses pam_pwquality when run as root, so you must enforce a strong password manually. Always use this for service accounts and shared environments.
sudo passwd jdoe4. Check Password Status for a Single Account
Use -S (or --status) to display the account’s password state: locked (L), usable password (P), or no password (NP), plus the last change date, min/max age, warning period, and inactivity grace. This is the fastest audit for a single user.
passwd -S jdoe
# jdoe P 03/15/2025 0 90 7 14| Field | Position | Example Value | Meaning |
|---|---|---|---|
| Username | 1 | jdoe | Account name |
| Status | 2 | P | Usable password (L=locked, NP=no password) |
| Last change | 3 | 03/15/2025 | Date of last password change |
| Min age | 4 | 0 | Days before password can be changed |
| Max age | 5 | 90 | Days after which password expires |
| Warn | 6 | 7 | Days of warning before expiry |
| Inactive | 7 | 14 | Grace days after expiry before lock |
5. Check Password Status for All Accounts
Use passwd -Sa (or --all --status) to dump the status of every user with a password entry. This is the one-liner for periodic security audits. Pipe through awk '$2 == "L" {print $1}' to list locked accounts, or awk '$2 == "NP" {print $1}' for passwordless accounts.
sudo passwd -Sa6. Force Password Change at Next Login
The -e (or --expire) flag immediately expires the user’s password. On next login, login.defs and PAM force a password change. Essential for onboarding new users or after a suspected credential leak.
sudo passwd -e jdoe
# passwd: password expiry information changed.7. Lock or Unlock User Accounts
-l (lock) prepends ‘!’ to the password hash in /etc/shadow, preventing password-based authentication. -u removes the lock. Locked accounts still allow SSH key authentication — use usermod --expiredate 1 to fully disable an account.
sudo passwd -l jdoe # Lock account
sudo passwd -u jdoe # Unlock account8. Delete Password (Make Account Password-less)
The -d flag removes the password hash entirely. The account has no password and cannot authenticate via password — SSH keys or other methods may still work. Use with extreme care: a password-less account in /etc/shadow shows an empty hash field.
sudo passwd -d jdoe
# passwd: password expiry information changed.All passwd commands shown are verified against the upstream man page (PASSWD(1)) and shadow-utils documentation.
Frequently Asked Questions
What is the difference between cut -d: -f1 /etc/passwd and awk -F: '{print $1}' /etc/passwd?
Answer: cut is a single-purpose field extractor optimized for performance; awk is a full scripting language with regex and conditionals. Both extract the first colon-delimited field (username) from /etc/passwd. cut uses byte-level operations and is faster on large files (e.g., LDAP cached). awk supports complex row filtering (e.g., /bin/bash$). For plain extraction, prefer cut for speed.
# cut: fastest for simple field extraction
cut -d: -f1 /etc/passwd
# awk: slower but allows additional logic (e.g., skip system users with UID >= 1000)
awk -F: '$3 >= 1000 {print $1}' /etc/passwdWhen should I use getent passwd instead of parsing /etc/passwd directly?
Answer: Use getent when the system uses a Name Service Switch (NSS) database (LDAP, SSSD, AD) because it queries all configured sources, not just the local file. Direct file parsing (cat /etc/passwd) only shows local users. On cloud VMs joined to a domain or using LDAP, getent passwd returns unified results. Use getent passwd <username> for single-user lookups.
# Always use getent for NSS-aware enumeration
getent passwd | awk -F: '$3 >= 1000 {print $1}'
# Avoid direct file read when NSS is active
# cat /etc/passwd # misses LDAP usersHow do I fix “Permission denied” when trying to read /etc/passwd in a container?
Answer: Rebuild the container image ensuring /etc/passwd is world-readable (644) or run the container with --user root. In minimal containers (e.g., scratch, alpine), /etc/passwd may be missing or owned by root:root with 600 permissions. Add a USER instruction or copy the file with correct permissions. For production, mount a proper passwd file or rely on the container runtime’s user namespace.
Does parsing /etc/passwd work consistently across AWS EC2, Azure VMs, and GCP Compute Engine?
Answer: Yes, all Linux VMs on these clouds provide a standard /etc/passwd file. The local file exists on all common distributions (Ubuntu, RHEL, Debian, SLES) in cloud images. For cloud-specific directories (e.g., AWS Managed Microsoft AD), user accounts are stored remotely; /etc/passwd only contains local accounts, so getent is required for full enumeration.
# Works on all cloud VMs with local accounts
cut -d: -f1 /etc/passwd
# For hybrid identity setups, always use getent
getent passwd | grep -v '^nobody'What is the fastest way to parse /etc/passwd and list all usernames with a shell one-liner?
Answer: The fastest method is cut -d: -f1 /etc/passwd. For large /etc/passwd files (e.g., NSS-cached or fake with 100k+ lines), cut performs 2–3x faster than awk and 5x faster than while read loops. If you need UID filtering, combine with awk on large files but accept a speed tradeoff.
# Fastest
cut -d: -f1 /etc/passwd
# Next fastest if filtering needed (example: real users)
awk -F: '$3 >= 1000 && $3 < 65534 {print $1}' /etc/passwd
# Slowest – avoid in scripts
while IFS=: read user _ uid _; do [ "$uid" -ge 1000 ] && echo "$user"; done < /etc/passwd
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.