chage command in Linux for password aging control

Learn chage command in Linux with several examples. View, edit password aging parameters using chage command to secure your Linux accounts.

Controlling password aging of user accounts is very much important for the security of the server. This ensures users are always updated with passwords and there are no old passwords or accounts living on the server which are vulnerable to compromise.

Read also: Linux user account policies

chage command aims at viewing and editing password aging information. This command is capable of editing below password attributes :

• Last change date
• Expiry date
• Minimum days
• Maximum days
• Warning days
• Inactivity period
• View attributes

Let’s see all of the above, one by one :

1. Last change date

This is the number of days from Unix date i.e. 1 Jan 1970 when the password was last changed. Normally this date changes automatically when the user changes his password. But, if you want to change it manually you can use chage command with -d switch like below :

# chage -d 2016-03-12 user4  << YYYY-MM-DD format

You can view change in date by comparing before and after the output of chage -l <user> command. This date is displayed against the “Last password change” attribute in the output. We will see this output in detail in the last part of this post.

2. Expiry date

This is the date on which account will expire and the user won’t be able to log in until he changes his account password. It can also be set as YYYY-MM-DD format with -E option as below :

# change -E 2016-12-05 user4

This date changes automatically whenever the user changes his password. It checks the maximum days attribute and adds those many days to the current date (date of password change); the resulting date will be an expiry date.

Setting this to -1 removes the account password expiry. That account will have a non-expiry password and never need to change the password in the future.

3. Minimum days

These are a number of days a user must wait to make another password change on his account. For example, if this is set to 7 then once a user changes the password, he can not change the password again until 7 days. This can be set using -m option.

# chage -m 7 user4

Setting this parameter to 0 enables the user to change his password at any time (no restriction).

4. Maximum days

These are a number of days users can use the same password. For example, if this is set to 20 days then the user must change the password after 20 days. This value decides the password expiration date we saw above. This can be set using -M option

# chage -M 30 user4

If you want to remove this restriction and want to use the same password forever then you need to set the expiration date to -1 which we saw earlier.

5. Warning days

These are a number of days before the password expiry date, the user starts seeing a warning on his login screen about password expiry. User warning will be shown post-login like below :

login as: user4
user4@10.10.2.5's password:
Warning: your password will expire in 6 days
Last login: Thu Dec 29 17:17:32 2016 from 10.10.2.10
#

You can set this attribute using -W option

# chage -W 7 user4

6. Inactivity period

These are a number of days the account can remain inactive after the password is expired. After which account will be locked for security reasons since idle accounts vulnerable to compromise. This can be set using -I option.

# chage -I 10 user4

If you set this to -1 then this restriction will be waived off from that account.

7. Viewing all the above attributes

To view all the above attributes you can use -l option :

# chage -l user4
Last password change                                    : Mar 12, 2016
Password expires                                        : Jun 10, 2016
Password inactive                                       : never
Account expires                                         : Nov 30, 2016
Minimum number of days between password change          : 0
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

In above output:

• Last password change is Last change date -d
• Account expires is the expiry date -E
• Password inactive is Inactivity period -I
• Account expires is the expiry date for the account. Last change date plus maximum days.
• Minimum number of days……. is minimum days -m
• Maximum number of days……. is maximum days -M
• Number of days of warning …… is warning days -W

You can check this output before changing any attribute using the above commands. Check change in attribute post command execution again!

Let us know queries, suggestions, feedback, corrections in the comments below.