0
0
Linux CLIscripting~15 mins

passwd (change password) in Linux CLI - Deep Dive

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Overview - passwd (change password)
What is it?
The passwd command in Linux is used to change a user's password. It prompts the user to enter the current password and then the new password twice to confirm. This command helps keep user accounts secure by allowing password updates. It works for both regular users and administrators managing other accounts.
Why it matters
Passwords protect user accounts from unauthorized access. Without the ability to change passwords easily, accounts could become vulnerable to attacks or misuse. The passwd command ensures users can update their credentials regularly, maintaining system security and privacy. Without it, managing user access would be risky and cumbersome.
Where it fits
Before learning passwd, you should understand basic Linux commands and user accounts. After mastering passwd, you can explore user management commands like useradd, usermod, and group management. This fits into the broader topic of Linux system administration and security.
Mental Model
Core Idea
The passwd command securely updates a user's password by verifying the old password and confirming the new one.
Think of it like...
Changing your password with passwd is like changing the lock on your front door: you must prove you own the key first, then set a new key that only you know.
┌───────────────┐
│ User runs     │
│ 'passwd'      │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Prompt: Enter │
│ current pwd   │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Prompt: Enter │
│ new pwd       │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Prompt: Re-   │
│ enter new pwd │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Password      │
│ updated       │
└───────────────┘
Build-Up - 6 Steps
1
FoundationBasic passwd command usage
🤔
Concept: Learn how to run the passwd command to change your own password.
Open a terminal and type 'passwd'. The system will ask for your current password, then ask you to enter a new password twice. If both new passwords match and meet security rules, your password changes.
Result
You successfully change your user password after confirming the new password.
Knowing the basic flow of passwd helps you understand how Linux protects password changes by verifying identity and confirming new credentials.
2
FoundationPassword confirmation and security rules
🤔
Concept: Understand why passwd asks for the new password twice and enforces rules.
When you enter a new password, passwd asks you to type it again to avoid typos. It also checks password strength like length and complexity based on system policies to keep accounts secure.
Result
Password change only succeeds if both entries match and meet security requirements.
This double-entry and validation prevent accidental lockouts and weak passwords, which are common security risks.
3
IntermediateChanging another user's password as root
🤔Before reading on: do you think a normal user can change another user's password with passwd? Commit to yes or no.
Concept: Learn how system administrators can change passwords for other users using passwd with elevated privileges.
If you are root or have sudo rights, you can run 'sudo passwd username' to change another user's password without knowing their current password. This is useful for account recovery or setup.
Result
The specified user's password is updated after entering the new password twice.
Understanding privilege levels clarifies why normal users must know their current password, but admins can override this to manage accounts.
4
IntermediatePassword expiration and forced change
🤔Before reading on: do you think passwd can force a user to change password at next login? Commit to yes or no.
Concept: Explore how passwd can set password expiration policies to improve security.
Using 'passwd -e username', an admin can expire a user's password immediately, forcing them to choose a new one at next login. This helps enforce regular password updates.
Result
User must change password on next login due to expiration.
Knowing how to enforce password changes helps maintain strong security hygiene across users.
5
AdvancedUnderstanding PAM integration with passwd
🤔Before reading on: do you think passwd works alone or relies on other system components? Commit to your answer.
Concept: Learn that passwd uses PAM (Pluggable Authentication Modules) to handle password policies and authentication.
When you run passwd, it calls PAM modules configured in /etc/pam.d/passwd. These modules enforce password complexity, history, and lockout rules. This modular design allows flexible security policies.
Result
Password changes respect system-wide security rules defined by PAM.
Understanding PAM's role reveals how passwd adapts to different security needs without changing the command itself.
6
ExpertSecurity risks and mitigation with passwd
🤔Before reading on: do you think passwd can be exploited if misconfigured? Commit to yes or no.
Concept: Examine potential security pitfalls with passwd and how to avoid them.
If PAM or passwd permissions are misconfigured, attackers might bypass password checks or escalate privileges. For example, weak PAM rules or writable passwd binaries can be exploited. Regular audits and strict permissions prevent this.
Result
A secure system prevents unauthorized password changes and privilege escalation.
Knowing these risks helps admins harden systems and avoid common security mistakes that could compromise user accounts.
Under the Hood
The passwd command interacts with system authentication files like /etc/shadow, which stores encrypted passwords. It uses PAM to apply authentication and password policies. When changing a password, passwd verifies the current password by checking the encrypted hash, then updates the hash with the new password after validation. This process ensures passwords are never stored or transmitted in plain text.
Why designed this way?
passwd was designed to separate user interaction from authentication logic by using PAM, allowing flexible security policies without changing the command. Storing encrypted passwords in /etc/shadow protects them from casual access. The double-entry and verification steps reduce user errors and improve security.
┌───────────────┐
│ User runs     │
│ 'passwd'      │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ passwd calls  │
│ PAM modules   │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ PAM checks    │
│ current pwd   │
│ against       │
│ /etc/shadow   │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ PAM enforces  │
│ password      │
│ policies      │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ /etc/shadow   │
│ updated with  │
│ new password  │
│ hash          │
└───────────────┘
Myth Busters - 4 Common Misconceptions
Quick: Can a normal user change another user's password with passwd? Commit to yes or no.
Common Belief:A normal user can change any user's password by running 'passwd username'.
Tap to reveal reality
Reality:Only root or users with sudo privileges can change other users' passwords without knowing their current password.
Why it matters:Believing this can lead to failed attempts and confusion about permissions, potentially causing security concerns if users try unsafe workarounds.
Quick: Does passwd store your password in plain text? Commit to yes or no.
Common Belief:passwd saves the new password as plain text in system files.
Tap to reveal reality
Reality:passwd stores only encrypted (hashed) versions of passwords in /etc/shadow, never plain text.
Why it matters:Misunderstanding this can cause unnecessary fear or misuse of password files, risking system security.
Quick: Does entering mismatched new passwords still change your password? Commit to yes or no.
Common Belief:If you mistype the new password confirmation, passwd still changes your password.
Tap to reveal reality
Reality:passwd requires both new password entries to match exactly; otherwise, it aborts the change.
Why it matters:This prevents accidental lockouts and ensures users know their new password.
Quick: Can passwd bypass system password policies? Commit to yes or no.
Common Belief:passwd ignores system password complexity and expiration policies.
Tap to reveal reality
Reality:passwd enforces policies through PAM modules, so it respects system-wide rules.
Why it matters:Ignoring this leads to weak passwords and security vulnerabilities.
Expert Zone
1
passwd's behavior depends heavily on PAM configuration, which can vary widely between Linux distributions and environments.
2
The encrypted password hashes in /etc/shadow use different algorithms (e.g., SHA-512), and passwd adapts to these automatically.
3
Using passwd in scripts requires careful handling of input and permissions to avoid security risks or automation failures.
When NOT to use
passwd is not suitable for bulk password changes or automated user provisioning; tools like chpasswd or usermod with scripting are better. Also, passwd cannot manage password policies alone; PAM and other tools are needed for comprehensive security.
Production Patterns
In production, passwd is used interactively by users and admins for individual password changes. Automated systems use PAM-aware scripts or centralized authentication services (LDAP, Kerberos) that integrate with passwd for consistent security.
Connections
PAM (Pluggable Authentication Modules)
passwd relies on PAM to enforce authentication and password policies.
Understanding PAM helps grasp how passwd adapts to different security requirements without changing its interface.
Hash Functions in Cryptography
passwd stores passwords as cryptographic hashes to protect them.
Knowing how hashing secures passwords clarifies why passwd never stores or shows plain text passwords.
Physical Security Locks
Both passwd and physical locks require proof of ownership before granting access.
This cross-domain connection highlights the universal principle of verifying identity before allowing changes.
Common Pitfalls
#1Trying to change another user's password without root privileges.
Wrong approach:passwd otheruser
Correct approach:sudo passwd otheruser
Root cause:Misunderstanding user permissions and the need for administrative rights.
#2Entering mismatched new passwords and expecting the change to succeed.
Wrong approach:Type new password 'abc123' and confirmation 'abc124' during passwd prompt.
Correct approach:Ensure both new password entries match exactly before pressing enter.
Root cause:Not realizing passwd requires exact confirmation to prevent errors.
#3Running passwd in a script without handling input securely.
Wrong approach:echo 'newpassword' | passwd username
Correct approach:Use 'chpasswd' or PAM-aware tools designed for scripting password changes.
Root cause:Lack of understanding about passwd's interactive design and security implications.
Key Takeaways
The passwd command securely changes user passwords by verifying the current password and confirming the new one.
It relies on PAM modules to enforce password policies and system security rules.
Only users with proper permissions can change other users' passwords, protecting account integrity.
Password changes require careful confirmation to avoid mistakes and lockouts.
Understanding passwd's integration with system security helps prevent common mistakes and vulnerabilities.