Change password linux is the operation of modifying a user’s authentication secret using the passwd command, which updates the hashed password in /etc/shadow via PAM.
passwd [options] [username]Tested on Ubuntu 24.04 with shadow-utils 4.13.
Syntax
- Run as current user:
passwd - As root:
sudo passwd [username]
Options and Flags
| Flag | Type | Default | Description |
|---|---|---|---|
-d |
Boolean | Off | Delete password (account becomes passwordless) |
-e |
Boolean | Off | Force password expiration on next login |
-l |
Boolean | Off | Lock the user account (prefixes hash with !) |
-u |
Boolean | Off | Unlock a locked account |
-x |
Integer (days) | 99999 | Maximum password age |
-m |
Integer (days) | 0 | Minimum password age |
-W |
Integer (days) | 7 | Password warning period |
-i |
Integer (days) | 0 | Inactive account lock after expiration |
-S |
Display | N/A | Show account status (age, lock state) |
Flags -x, -m, -W, -i are delegated to chage and affect /etc/shadow aging fields.
Usage Examples
Change current user’s password
passwdPrompts for current password, then new password twice. If PAM policy is enforced, the new password must meet complexity requirements (length, character classes).
Change another user’s password (root only)
sudo passwd jdoeResets password for user jdoe. No current password prompt. Useful for recovery or initial provisioning.
Force password change on next login
sudo passwd -e jdoeSets the last password change date to epoch 0, forcing jdoe to update their password at the next authentication attempt.
Lock/unlock an account
sudo passwd -l jdoe # Lock account
sudo passwd -u jdoe # Unlock accountLocking prefixes the hashed password with !, preventing all password-based authentication. SSH key auth may still work if not restricted.
Set password aging
sudo passwd -x 90 -m 7 -W 14 -i 30 jdoeEnforces 90-day max password age, 7-day minimum interval between changes, 14-day warning, and 30-day inactivity lock.
Troubleshooting & Common Errors
| Error Message | Root Cause | Resolution Command |
|---|---|---|
passwd: Authentication token manipulation error |
User not permitted to change password (e.g., account locked, or PAM policy blocks change) | Check account status: sudo passwd -S username. Unlock if needed: sudo passwd -u username. |
passwd: password unchanged |
New password does not meet complexity requirements or is too similar to old | Use a password with upper/lower/digits/special characters ≥8 length. Check /etc/security/pwquality.conf. |
passwd: Permission denied |
Non-root user trying to change another user’s password | Prepend sudo and supply root password, or use su first. |
passwd: User not known to the underlying authentication module |
User exists in /etc/passwd but not in NSS/PAM backend (e.g., LDAP) |
Verify with getent passwd username. If LDAP, ensure nslcd is running. |
Bulk password reset example
# Force password expiry for a list of users
users="user1 user2 user3"
echo "$users" | xargs -P 4 -n 1 sudo passwd -eVerified References
| Command | Source | Notes |
|---|---|---|
passwd |
man7.org (PASSWD(1)) | Canonical reference for syntax and flags. |
Frequently Asked Questions
What is the difference between passwd and chpasswd?
Answer: passwd changes a single user’s password interactively; chpasswd batch-updates passwords from stdin, supporting hashes like SHA-512. Use echo "user:newpass" | chpasswd for plaintext, or -e for pre-hashed strings.
When should I use the --stdin flag with passwd?
Answer: --stdin is available on some distributions (e.g., RHEL/CentOS 7) but deprecated. Prefer chpasswd for portability across Ubuntu/Debian and RHEL 8+.
How do I fix “authentication token manipulation error”?
Answer: This error indicates missing root privileges or a locked account. Verify /etc/shadow permissions (640, root:shadow). Unlock with sudo passwd -u username. If using LDAP, check nsswitch.conf.
Does passwd work identically on AWS, Azure, and GCP?
Answer: Yes, passwd behaves identically on all three clouds since they run standard Linux kernels. Cloud-init may reset passwords on first boot unless disabled.
What is the fastest way to change a password non-interactively?
Answer: Use echo "user:newpass" | sudo chpasswd – it reads from stdin, avoids prompts, and supports SHA-512 hashing. For pre-hashed strings: echo "user:$(openssl passwd -6 newpass)" | sudo chpasswd -e.
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.