Penguin
Recent Changes
Annotated edit history of passwd(1) version 1, including all changes. View license author blame.
Rev Author # Line
1 perry 1 PASSWD
2 !!!PASSWD
3 NAME
4 SYNOPSIS
5 DESCRIPTION
6 CAVEATS
7 FILES
8 SEE ALSO
9 AUTHOR
10 ----
11 !!NAME
12
13
14 passwd - change user password
15 !!SYNOPSIS
16
17
18 __passwd__ [[__-f__|__-s__] [[''name'']__
19 passwd__ [[__-g__] [[__-r__|__R__]
20 ''group''__
21 passwd__ [[__-x__ ''max''] [[__-n__ ''min'']
22 [[__-w__ ''warn''] [[__-i__ ''inact'']
23 ''name''__
24 passwd__
25 {__-l__|__-u__|__-d__|__-S__|__-e__}
26 ''name''
27 !!DESCRIPTION
28
29
30 __passwd__ changes passwords for user and group accounts.
31 A normal user may only change the password for their own
32 account, the super user may change the password for any
33 account. The administrator of a group may change the
34 password for the group. __passwd__ also changes account
35 information, such as the full name of the user, their login
36 shell, or password expiry dates and intervals.
37
38
39 __Password Changes__
40
41
42 The user is first prompted for their old password, if one is
43 present. This password is then encrypted and compared
44 against the stored password. The user has only one chance to
45 enter the correct password. The super user is permitted to
46 bypass this step so that forgotten passwords may be
47 changed.
48
49
50 After the password has been entered, password aging
51 information is checked to see if the user is permitted to
52 change their password at this time. If not, __passwd__
53 refuses to change the password and exits.
54
55
56 The user is then prompted for a replacement password. This
57 password is tested for complexity. As a general guideline,
58 passwords should consist of 6 to 8 characters including one
59 or more from each of following sets:
60
61
62 Lower case alphabetics
63
64
65 Upper case alphabetics
66
67
68 Digits 0 thru 9
69
70
71 Punctuation marks
72
73
74 Care must be taken not to include the system default erase
75 or kill characters. __passwd__ will reject any password
76 which is not suitably complex.
77
78
79 If the password is accepted, __passwd__ will prompt again
80 and compare the second entry against the first. Both entries
81 are require to match in order for the password to be
82 changed.
83
84
85 __Group passwords__
86
87
88 When the __-g__ option is used, the password for the
89 named group is changed. The user must either be the super
90 user, or a group administrator for the named group. The
91 current group password is not prompted for. The __-r__
92 option is used with the __-g__ option to remove the
93 current password from the named group. This allows group
94 access to all members. The __-R__ option is used with the
95 __-g__ option to restrict the named group for all
96 users.
97
98
99 __Password expiry information__
100
101
102 The password aging information may be changed by the super
103 user with the __-x__, __-n__, __-w__, and __-i__
104 options. The __-x__ option is used to set the maximum
105 number of days a password remains valid. After ''max''
106 days, the password is required to be changed. The __-n__
107 option is used to set the minimum number of days before a
108 password may be changed. The user will not be permitted to
109 change the password until ''min'' days have elapsed. The
110 __-w__ option is used to set the number of days of
111 warning the user will receive before their password will
112 expire. The warning occurs ''warn'' days before the
113 expiration, telling the user how many days until the
114 password is set to expire. The __-i__ option is used to
115 disable an account after the password has been expired for a
116 number of days. After a user account has had an expired
117 password for ''inact'' days, the user may no longer sign
118 on to the account.
119
120
121 __Account maintenance__
122
123
124 User accounts may be locked and unlocked with the __-l__
125 and __-u__ flags. The __-l__ option disables an
126 account by changing the password to a value which matches no
127 possible encrypted value. The __-u__ option re-enables an
128 account by changing the password back to its previous
129 value.
130
131
132 If you wish to immediately expire an accounts password, you
133 can use the __-e__ option. This in affect can force a
134 user to change their password at their next login. You can
135 also use the __-d__ option to delete a users password
136 (make it empty). Use caution with this option since it can
137 make an account not require a password at all to login,
138 leaving your system open to intruders.
139
140
141 The account status may be given with the __-S__ option.
142 The status information consists of 6 parts. The first part
143 indicates if the user account is locked (L), has no password
144 (NP), or has a usable password (P). The second part gives
145 the date of the last password change. The next four parts
146 are the minimum age, maximum age, warning period, and
147 inactivity period for the password.
148
149
150 __Hints for user passwords__
151
152
153 The security of a password depends upon the strength of the
154 encryption algorithm and the size of the key space. The
155 __UNIX__ System encryption method is based
156 on the NBS DES algorithm and is very secure. The size of the
157 key space depends upon the randomness of the password which
158 is selected.
159
160
161 The __-s__ option makes passwd call chsh to change the
162 users shell. The __-f__ option makes passwd call chfn to
163 change the users gecos information. These two options are
164 only meant for compatiblity, since the other programs can be
165 called directly.
166
167
168 Compromises in password security normally result from
169 careless password selection or handling. For this reason,
170 you should select a password which does not appear in a
171 dictionary or which must be written down. The password
172 should also not be a proper name, your license number, birth
173 date, or street address. Any of these may be used as guesses
174 to violate system security.
175
176
177 Your password must easily remembered so that you will not be
178 forced to write it on a piece of paper. This can be
179 accomplished by appending two small words together and
180 separating each with a special character or digit. For
181 example, Pass%word.
182
183
184 Other methods of construction involve selecting an easily
185 remembered phrase from literature and selecting the first or
186 last letter from each. An example of this is
187
188
189 Ask not for whom the bell tolls.
190
191
192 which produces
193
194
195 An4wtbt.
196
197
198 You may be reasonably sure few crackers will have included
199 this in their dictionary. You should, however, select your
200 own methods for constructing passwords and not rely
201 exclusively on the methods given here.
202
203
204 __Notes about group passwords__
205
206
207 Group passwords are an inherent security problem since more
208 than one person is permitted to know the password. However,
209 groups are a useful tool for permitting co-operation between
210 different users.
211 !!CAVEATS
212
213
214 Not all options may be supported. Password complexity
215 checking may vary from site to site. The user is urged to
216 select as complex a password as they feel comfortable with.
217 User's may not be able to change their password on a system
218 if NIS is enabled and they are not logged into the NIS
219 server.
220 !!FILES
221
222
223 /etc/passwd - user account information
224 /etc/shadow - encrypted user passwords
225 !!SEE ALSO
226
227
228 group(5), passwd(5)
229 !!AUTHOR
230
231
232 Julianne Frances Haugh (jfh@austin.ibm.com)
233 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.