How to change an user password in Linux

Aug 292014

If you manage a server with many different users or just your family computer you will probably have many different accounts to manage, and one important aspect of any account it’s its password.

In this small article I’ll show you how to use the basic passwd command but also how to do some small bash script or use a web application, if you have a more complex environment, such as a central ldap server that keep all your accounts information.

1) Passwd

First method to change the password for an account, the good and old passwd command.
The passwd command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period.

Basic usage of passwd as root that want to change the password of user tom in the interactive way:

[root@myhost ~]# passwd tom
Changing password for user tom.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

So just use the command passwd followed by the username, and you’ll change his password.

2) Chpasswd

The command chpasswd is used to change the password of multiple users in batch mode.

The chpasswd command reads a list of user name and password pairs from standard input and uses this information to update a group of existing users. Each line is of the format:

user_name:password

By default the passwords must be supplied in clear-text, and are encrypted by chpasswd.
Also the password age will be updated, if present.

# Chpasswd command is very simple to use 
[ root@myhost ~ ] # echo "tom:1234" | chpasswd
 
# Using the passwd command, you can also change the password in a batch like mode
[ root@myhost ~ ] # echo "1234" | passwd --stdin "tom" 
Changing password for user tom.
 passwd: All authentication tokens Updated successfully.

3) Using expect to build an interactive script

Expect is a program that “talks” to other interactive programs according to a script. Following the script, Expect knows what can be expected from a program and what the correct response should be. An interpreted language provides branching and high-level control structures to direct the dialogue. In addition, the user can take control and interact directly when desired, afterward returning control to the script.

So we could make a simple script called changepasswd.sh that contains something like this:

#!/bin/sh
# \
exec expect -f "$0" "$@"
if { $argc != 2 } {
    puts "Usage: $argv0  "
    exit 1
}
set password [lindex $argv 1]
spawn passwd [lindex $argv 0]
sleep 1
expect "assword:"
send "$password\r"
expect "assword:"
send "$password\r"
expect eof

And the output will be something similar to this one:

[root@myhost ~]# ./changepasswd.sh tom 1234
spawn passwd tom
Changing password for user tom.
New password: 
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password: 
passwd: all authentication tokens updated successfully.

4) Using a web application

If you have a larger environment probably you are using an LDAP server to manage centrally all your accounts, in this case the above solutions are not useful and you need something that can change the password on your ldap server and that it’s easily usable by your users, I suggest to take a look at the LTB Project.

Self Service Password is a PHP application that allows users to change their password in an LDAP directory.

The application can be used on standard LDAPv3 directories (OpenLDAP, OpenDS, ApacheDS, Sun Oracle DSEE, Novell, etc.) and also on Active Directory.

It has the following features: