How to change a user password in Linux

Changing a user password restores access after a forgotten credential, rotates a password that is no longer trusted, and hands an account back to its owner with a known login secret.

On most Linux systems, the passwd command asks the active user for their current password, writes the replacement through PAM, and stores the resulting password hash in the local shadow database. An administrator can also run passwd username to replace the password for another local account without knowing the old one first.

Password policy, expiry, and account source still matter after the reset. Complexity rules enforced by PAM can reject weak passwords, directory-backed accounts such as LDAP or Active Directory may require a different tool, and a temporary administrator-set password is usually safer when paired with an immediate expiry so the user must choose a private replacement at the next login.

Related: How to lock a user account in Linux
Related: How to force logout a user in Linux

Steps to change a user password in Linux with passwd:

  1. Change the current account password interactively with passwd. 
    $ passwd
Changing password for user.
Current password:
New password:
Retype new password:
passwd: password updated successfully

    Password input stays hidden while typing, so no characters or placeholders are normally echoed at the prompts.

  2. Reset another local user's password as an administrator when the old password is unknown or must be replaced immediately. 
    $ sudo passwd audituser
New password:
Retype new password:
passwd: password updated successfully

    This replaces the existing password at once, but it does not end active sessions or revoke SSH keys that already work for the account.

    Related: How to force logout a user in Linux

  3. Expire the temporary password when the user should be forced to choose a new one at the next login. 
    $ sudo passwd --expire audituser
passwd: password changed.

    Use this after setting a temporary password so the administrator never needs to keep the long-term secret.

  4. Check the short password status to confirm the account still has a usable password and that the forced-change flag is active. 
    $ sudo passwd --status audituser
audituser P 1970-01-01 0 99999 7 -1

    The P status means the account still has a usable password hash, and the 1970-01-01 last-change value appears after --expire marks the password for immediate replacement.

  5. Review the full password ageing data when the next login should prompt for a password change. 
    $ sudo chage --list --iso8601 audituser
Last password change					: password must be changed
Password expires					: password must be changed
Password inactive					: password must be changed
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

    chage reads local shadow-file ageing data, so centrally managed accounts may need the identity provider's own password-reset workflow instead.