Unix - Password Policies in Unix Using passwd?

In Unix and Linux systems, password policies are essential for maintaining system security and preventing unauthorized access. The passwd command is the primary tool used to set, change, lock, and manage user passwords, while system-wide password policies are enforced through configuration files and authentication modules.

The passwd Command Basics

To set or change a user’s password:

passwd username

Users can change their own passwords, while the root user can change passwords for any account. The command enforces password rules such as minimum length and complexity, depending on system configuration.

Password Aging and Expiration

Password aging policies define how long a password remains valid. These rules help reduce the risk of compromised credentials.

Common options:

passwd -n 7 username    # Minimum days before password change
passwd -x 90 username   # Maximum password validity (days)
passwd -w 7 username    # Warning days before expiration
passwd -i 30 username   # Inactive days after expiration

These settings are stored in /etc/shadow.

Locking and Unlocking Accounts

To temporarily disable or enable a user account:

passwd -l username   # Lock account
passwd -u username   # Unlock account

This is useful for securing inactive users or responding to security incidents without deleting accounts.

System-Wide Password Policy Configuration

Global password rules are controlled by:

  • /etc/login.defs – password aging defaults

  • /etc/pam.d/ files – authentication and complexity rules

  • pam_pwquality.so or pam_cracklib.so – enforces password strength

Typical enforced rules include minimum length, character variety, and prevention of dictionary-based passwords.

Best Practices for Password Security

  • Enforce strong password complexity and length

  • Set regular password expiration policies

  • Lock unused or temporary accounts

  • Encourage the use of password managers

  • Combine passwords with multi-factor authentication where possible

In summary, effective password policies using passwd and PAM configurations are a critical part of Unix system security, helping protect users, data, and services from unauthorized access.