passwd and chage: Password and Account Aging
What You'll Learn
- The difference in roles between
passwdandchage - How to change passwords, lock accounts, and check status with confidence
- How to set password aging to match your policy
- How to read
/etc/shadowto see the current state at a glance
Quick Summary
- The password value itself (change, lock, delete) ->
passwd - The aging rules (max / min / warning / expiry) ->
chage - Both write to the same
/etc/shadow. Operating on other users requires root (sudo)
Assumptions
- OS: Ubuntu / general Linux (shadow-utils)
- Operating on other users assumes
sudo - Covers local accounts (managed in
/etc/shadow). LDAP / AD-integrated environments are out of scope
What is the difference between passwd and chage?
Conclusion:
passwdoperates on the password "value", whilechageoperates on the password "aging rules". Both target different fields of the same/etc/shadow.
A line in /etc/shadow is made of 9 colon-separated fields. Splitting where each command writes makes the roles clear.
alice:$6$xxxx...:19876:7:90:7:30:20089: │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └ (8) Account expiration date (days since 1970-01-01) │ │ │ │ │ │ └ (7) Inactive days after expiry │ │ │ │ │ └ (6) Warning days before expiry │ │ │ │ └ (5) Maximum password age (days) │ │ │ └ (4) Minimum days before re-change │ │ └ (3) Last password change (days since 1970-01-01) │ └ (2) Hashed password └ (1) Username
passwd-> rewrites field 2 (the hash)chage-> rewrites fields 3-8 (aging / expiry)
Date fields are stored as "days since 1970-01-01". chage -l converts them into a human-readable form (see below).
How do you change a password?
Conclusion: Change your own password with just
passwd. Changing another user's password requires root viasudo passwd username.
Your own password
$ passwd
Enter the current password once and the new password twice. Nothing is shown on screen while typing (by design).
Another user's password (admin)
$ sudo passwd alice
You are not asked for the current password; just enter the new password twice.
After setting an initial password for a new user, force them to change it at next login. Use passwd --expire alice (equivalent to chage -d 0 below).
How do you lock an account or check its status?
Conclusion: Use
passwd -lto lock,passwd -uto unlock, andpasswd -Sto check status on one line. Locking disables password auth by prefixing the hash with!.
Check status
$ sudo passwd -S alice
alice P 06/05/2026 0 99999 7 -1
The second column means:
P: a usable password is setL: lockedNP: no password set
Lock and unlock
# Disable password auth (departed staff, dormant accounts, etc.) $ sudo passwd -l alice # Unlock $ sudo passwd -u alice
passwd -l only stops password authentication. It does not stop SSH key authentication. To fully lock someone out, also use account expiry (chage -E, or usermod -L plus disabling the shell).
How do you check password expiry?
Conclusion: Run
chage -l usernameto list the last change date, next expiry, and all policies in human-readable form.
$ sudo chage -l alice
Last password change : Jun 05, 2026 Password expires : Sep 03, 2026 Password inactive : Oct 03, 2026 Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
- Password expires: the day this password stops working (last change + max)
- Password inactive: the day the account becomes unusable after the post-expiry grace runs out (+ inactive)
- Account expires: the day the account itself is disabled (set with
-E)
How do you set password aging?
Conclusion: Use
chage -Mfor the maximum age,-mfor the minimum,-Wfor warning days, and-Ifor the post-expiry grace. Multiple options can be combined into one command.
Main options
| Option | Meaning | Example |
|---|---|---|
-M |
Maximum age in days (expires beyond this) | -M 90 |
-m |
Minimum days before the password can be changed again | -m 7 |
-W |
Warning days before expiry | -W 7 |
-I |
Grace days before the account is disabled after expiry | -I 30 |
-E |
Account expiration date (YYYY-MM-DD) | -E 2026-12-31 |
-d |
Override the last-change date | -d 0 |
Set all at once
$ sudo chage -M 90 -m 7 -W 7 -I 30 alice
This means: "expire in 90 days, no re-change for 7 days after a change, warn 7 days before, disable the account 30 days after expiry."
Force a change at next login
$ sudo chage -d 0 alice
Resetting the last-change date to the epoch makes it count as "already expired", forcing a password change at next login.
To set each item interactively, run sudo chage alice with no options. Current values appear in [ ] and you can keep them by pressing Enter.
How do you set an account expiration date?
Conclusion: Use
chage -E dateto set the expiration of the account itself. Use it for fixed-term users or temporary accounts that should auto-disable.
# Disable the account on 2026-12-31 $ sudo chage -E 2026-12-31 alice # Clear expiry (revert to never) $ sudo chage -E -1 alice
-E is independent of password expiry (-M). When you must reliably stop login at the end of a contract, use -E (account expiry), not -M (password expiry).
Common mistakes and how to diagnose them
Conclusion: Most "cannot change" or "locked out immediately" issues come from the min-days setting,
-d 0, or an expiry-date mistake. Always confirm the state withchage -l.
Cannot change the password yet
You must wait longer to change your password
The -m (minimum days) setting is in effect. As admin you can change it immediately with sudo passwd.
Locked out right after configuring
Check whether chage -d 0 combined with -M/-I created an "expire now + zero grace" situation.
$ sudo chage -l alice
Do not age the root password
Applying aging to system accounts or root risks locking yourself out. Restrict policy to interactive, regular user accounts.
What not to do
- Carelessly applying aging to
rootor service accounts - Confusing
chage -Ewithpasswd -l(the former is the account, the latter is the password) - Leaving settings unverified instead of confirming with
chage -l