Changing a user password restores access after a forgotten credential, rotates a password that is no longer trusted, and hands an account back to its owner with a known login secret.
On most Linux systems, the passwd command asks the active user for their current password, writes the replacement through PAM, and stores the resulting password hash in the local shadow database. An administrator can also run passwd username to replace the password for another local account without knowing the old one first.
Password policy, expiry, and account source still matter after the reset. Complexity rules enforced by PAM can reject weak passwords, directory-backed accounts such as LDAP or Active Directory may require a different tool, and a temporary administrator-set password is usually safer when paired with an immediate expiry so the user must choose a private replacement at the next login.
Related: How to lock a user account in Linux
Related: How to force logout a user in Linux
Steps to change a user password in Linux with passwd:
- Change the current account password interactively with passwd.
$ passwd Changing password for user. Current password: New password: Retype new password: passwd: password updated successfully
Password input stays hidden while typing, so no characters or placeholders are normally echoed at the prompts.
- Reset another local user's password as an administrator when the old password is unknown or must be replaced immediately.
$ sudo passwd audituser New password: Retype new password: passwd: password updated successfully
This replaces the existing password at once, but it does not end active sessions or revoke SSH keys that already work for the account.
Related: How to force logout a user in Linux
- Expire the temporary password when the user should be forced to choose a new one at the next login.
$ sudo passwd --expire audituser passwd: password changed.
Use this after setting a temporary password so the administrator never needs to keep the long-term secret.
- Check the short password status to confirm the account still has a usable password and that the forced-change flag is active.
$ sudo passwd --status audituser audituser P 1970-01-01 0 99999 7 -1
The P status means the account still has a usable password hash, and the 1970-01-01 last-change value appears after --expire marks the password for immediate replacement.
- Review the full password ageing data when the next login should prompt for a password change.
$ sudo chage --list --iso8601 audituser Last password change : password must be changed Password expires : password must be changed Password inactive : password must be changed Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
chage reads local shadow-file ageing data, so centrally managed accounts may need the identity provider's own password-reset workflow instead.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
