# passwd

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/passwd

## Quick definition

The passwd command lets you change your login password on Linux or Unix systems. When you run it, it asks for your current password (if you're not the root user), then asks for a new password twice to confirm. The system checks that the new password meets minimum security requirements before updating the encrypted password file.

## Simple meaning

Think of the passwd command like the front desk at a gym where members check in. When you first join the gym, you get a membership card and a PIN code. But maybe you want to change that PIN to something easier for you to remember, or perhaps you suspect someone else knows it. You go to the front desk, show your ID (that’s like entering your current password), and then you request a new PIN. The staff make sure your new PIN isn't obviously weak, like “1234” or your birth year, and that you type it correctly twice so there’s no typo. Once approved, they update your record in the computer system. From then on, you use the new PIN to enter the gym. In a computer system, passwd does exactly this. It checks your current identity, validates your new password against policy rules, and updates the secure, encrypted storage where passwords live. The old password is gone and only the new one will work going forward. This is a fundamental security action on any multi-user system, because passwords are the first line of defense against unauthorized access. Without passwd, users would have to ask an administrator to change their password manually, which is inefficient and insecure.

This simple command has a surprisingly important job. It doesn’t just change a string of text; it interacts with the system’s authentication database, which is often protected so that even system administrators cannot see plaintext passwords. The command also enforces password aging policies, such as forcing a change after a certain number of days, and can lock or unlock accounts. For IT professionals, understanding passwd is essential for managing users securely, scripting user maintenance tasks, and troubleshooting login issues. Even though it seems straightforward, the underlying processes involve encryption algorithms, file permissions, and system security policies.

## Technical definition

The passwd command is part of the GNU Core Utilities or the shadow-utils package on most Linux distributions. Its primary function is to update the authentication tokens (passwords) for user accounts. When a user invokes passwd without arguments, it defaults to changing the password for the current user. The root user can change any user’s password by specifying a username (e.g., passwd jdoe). The command operates by interacting with the system’s Pluggable Authentication Modules (PAM) framework. PAM is a flexible library that defines how authentication tasks are handled. The passwd command calls PAM functions to verify the user’s identity (if required), validate the new password against policies (such as length, complexity, and reuse), and then update the credential database.

Under the hood, passwords are not stored in plain text. Historically, encrypted passwords were stored in /etc/passwd, which is world-readable. Modern systems use shadow passwords, where the actual password hash resides in /etc/shadow, readable only by root. This file uses the format: username:hash:last_change:min_age:max_age:warn_period:inactive_expire:expire_date:reserved. The hash itself is produced by a one-way cryptographic function, such as SHA-512 (often represented as $6$ in the hash string) or the more recent yescrypt or argon2 algorithms. When you run passwd, it generates a new salt (a random string) and computes the hash of your new password combined with the salt. It then writes this hash along with the current date (for aging) to /etc/shadow.

The command also respects a variety of options. For example, passwd -l locks an account by prefixing the hash with an exclamation mark, effectively disabling password authentication. passwd -u unlocks it. passwd -d deletes a password, allowing login without a password (often used for system accounts). passwd -e forces a password change at the next login by setting the last change date to 0. passwd -n, -x, -w, and -i set minimum password age, maximum password age, warning period, and inactivity period respectively. These options directly modify the fields in /etc/shadow. On enterprise systems, the command may also contact a remote authentication server, such as an LDAP or Active Directory domain controller, through PAM or Name Service Switch (NSS) modules. In those cases, passwd updates the remote directory instead of the local /etc/shadow. The command returns an exit code of 0 on success and non-zero on failure, which allows it to be used in automation scripts.

## Real-life example

Imagine your apartment building has a secure entry system with a keypad. Every resident has their own 4-digit code to open the front door. One day, you realize you accidentally told your code to a neighbor while chatting, and now you’re worried they might let themselves into the building when you’re not around. So you go to the building manager’s office. The manager looks you up in the system by your apartment number and asks you to confirm your current code to prove you’re the resident. Once verified, you type in a new code, and then type it again to make sure you didn’t miskey. The manager checks that the new code isn’t too simple, like 0000 or 1234, and that it’s different from your old code. Satisfied, they update the building’s security database. The next time you come home, you punch in the new code and the door unlocks. The old code no longer works.

This apartment scenario maps directly to how passwd works on a Linux system. The building manager’s office is the passwd command running with root or user permissions. The check of your current code is authentication, the double-entry of the new code is confirmation, and the policy check against weak codes is the system’s password quality enforcement (often through the cracklib library or PAM pwquality module). The building’s security database is the /etc/shadow file, and the codes’ hashing would be equivalent to encrypting the codes in a way that even the manager cannot reverse them easily. Just as the building manager doesn’t store your code in plain text on a sticky note, the system never stores your actual password. It stores a one-way cryptographic hash. And just as the manager can also temporarily disable your code if you go on vacation (account lock), or set an expiry date for a temporary worker, passwd offers options to lock, unlock, or expire accounts.

## Why it matters

In any IT environment that runs Linux or Unix, user authentication is the gatekeeper to system resources. The passwd command is the standard tool for changing those authentication credentials. Without it, every password change would require a system administrator to manually edit the /etc/shadow file, which is error-prone and a security risk. More importantly, passwd integrates with system security policies that enforce password complexity and aging, ensuring that users do not use weak, reused, or old passwords that are easily guessed or cracked. For IT professionals, passwd is not just a simple utility; it is the front line of defense against unauthorized access. In corporate networks, compliance frameworks such as PCI-DSS, HIPAA, and SOX require that passwords be changed periodically and meet minimum strength requirements. The passwd command’s ability to enforce password expiration and lock accounts after inactivity helps organizations meet these regulatory requirements.

understanding passwd is essential for troubleshooting login failures. If a user cannot log in, the problem might be a locked account, an expired password, or a mismatched hash in /etc/shadow. Knowing how to use passwd -S (status) to inspect a user’s password state, or passwd -l to lock a compromised account, can resolve issues quickly. In scripting and automation, the command is used with the --stdin option (or via chpasswd) to set passwords non-interactively during bulk user creation or system provisioning. This requires careful handling of password security, as passing plaintext passwords on the command line can expose them in process listings. Therefore, professionals often use alternative methods like a pipe to /usr/bin/passwd or the newer chage command for aging policies. The passwd command’s role in PAM integration also means that when a system is connected to a central identity provider such as LDAP or Active Directory, the local passwd command may trigger a remote password update. This distributed authentication model is common in enterprise environments, so understanding how passwd interacts with these services is critical for system administrators.

## Why it matters in exams

The passwd command is a core objective in several IT certification exams, particularly those covering Linux system administration. In the CompTIA Linux+ (XK0-005) exam, candidates must demonstrate knowledge of managing user accounts, passwords, and authentication. Specific exam objectives include the ability to set and change user passwords, enforce password aging, and lock or unlock user accounts. Questions may ask about the correct options to lock an account (passwd -l), force a password change at next login (passwd -e), or display password status (passwd -S). In the Red Hat Certified System Administrator (RHCSA) exam, tasks often require adding users and setting their passwords using passwd as part of a larger system configuration. The exam might ask you to create a user, set a password, and then ensure the password expires after 90 days using a combination of passwd and chage.

In the LPIC-1 certification (101-500/102-500), candidates are tested on password management commands, including passwd and its options, as well as the relationship between passwd and the /etc/shadow and /etc/passwd files. Exam questions can be multiple-choice or simulation-based, where you must choose the correct command to accomplish a task. For the CompTIA Security+ exam, the passwd command itself is not tested directly, but the concepts of password policies, complexity, and aging are fundamental. You might see questions about how to enforce a password history or minimum length, which in Linux are configured via PAM modules (pam_pwhistory, pam_pwquality) and often applied through the passwd command. In the Cisco CCNA and other networking exams, passwd is less relevant because they focus on Cisco IOS, but the concept of local password definitions and the enable password command has a loose analogy.

Exam question types include: “Which command locks the user account 'jdoe'?” with multiple choices. A common correct answer is passwd -l jdoe. Another type: “After running 'passwd -e jdoe', what will happen the next time jdoe logs in?” The answer is they will be forced to change their password. Troubleshooting scenarios may ask: “A user reports they cannot log in. The administrator runs 'passwd -S jdoe' and sees 'PS 2023-01-15 0 99999 7 -1'. What does the 'PS' indicate?” (Answer: Password set and locked). These questions test your understanding of both the command syntax and the underlying meaning of password state fields. Therefore, it is essential to memorize the common options (-l, -u, -d, -e, -S) and to understand the output of passwd -S.

## How it appears in exam questions

In certification exams, passwd questions typically fall into three categories: command syntax, scenario-based administration, and troubleshooting. Command syntax questions are straightforward. For example: “Which option to the passwd command locks a user account?” The answer is -l. Or “What does passwd -e do?” It expires the password, forcing a change on next login. These questions test your familiarity with the options. Scenario-based questions present a situation where an administrator needs to perform a specific task. For instance: “The security policy requires that all new users must change their password upon first login. Which command should the administrator run after creating the user?” The expected answer is passwd -e username. Another scenario: “An employee resigned and the account must be disabled immediately. Which command should be used?” The correct response is passwd -l username.

Troubleshooting questions require interpreting the output of passwd -S or understanding why a password change failed. For example: “When running passwd, a user receives 'BAD PASSWORD: it is based on a dictionary word'. What is the most likely cause?” The answer is that the password fails the system’s password strength requirements, typically enforced by the pwquality PAM module. Another question: “After a system migration, all users report they cannot change their passwords. The passwd command returns 'passwd: Authentication token manipulation error'. What is the most likely cause?” The answer might be that the /etc/shadow file is read-only, or the filesystem is mounted read-only, or PAM is not properly configured. These questions require deeper understanding of the system’s authentication stack. Some exams include combined questions where you must use passwd alongside other commands like usermod or chage. For instance: “You need to set a user's password to expire after 30 days. Which two commands can you use?” Options might include both passwd -x 30 username and chage -M 30 username. Knowing that passwd can also set the maximum age with -x is a key detail.

Finally, performance-based questions (simulations) might ask you to actually type a command or navigate a virtual system. For example, in the RHCSA exam, you might be given a terminal and told “Create a user named webadmin with a password of 'Admin@123', and force the password to expire every 60 days.” You would need to use useradd, then passwd, and then passwd -x 60 webadmin or chage -M 60 webadmin. In these situations, knowing the exact options and being able to apply them without reference is critical. Always remember that passwd can do more than just set a password; it is a full account credential management tool.

## Example scenario

A small company called GreenLeaf IT has five employees who all use a shared Linux server for file storage. The company's security policy says passwords must be changed every 90 days and must be at least 8 characters long. Sarah, a new junior admin, is tasked with ensuring compliance. She logs into the server as root and first checks the password aging status of all users by running: for user in $(cut -d: -f1 /etc/passwd); do passwd -S $user 2>/dev/null; done. This shows her the current state of each account. She notices that user 'mike' has 'PS' (password set and locked) because Mike left the company last month. She leaves that account locked.

Next, she finds that user 'alice' has an account with password last changed 120 days ago, which violates the 90-day policy. Sarah runs passwd -x 90 alice to set the maximum password age to 90 days. But this alone doesn't force an immediate change. She also runs passwd -e alice to expire the password, so that next time Alice logs in, she will be prompted to set a new password. For the new hire 'james', Sarah creates his account (useradd james) and sets his password with passwd james. She then runs passwd -e james so he must change it on first login. She also sets the minimum age to 1 day with passwd -n 1 james to prevent him from immediately changing back to an old password. Finally, she runs passwd -S james to verify the status. The output shows 'PS 2025-01-01 1 90 7 -1', meaning password set, last changed Jan 1, minimum 1 day, maximum 90 days, warning 7 days, and no inactive period. Sarah documented these steps for audit compliance. This scenario demonstrates how passwd is used not only to set passwords but also to enforce security policies, lock accounts, and manage user lifecycles on a Linux system.

## Common mistakes

- **Mistake:** Thinking passwd -l unlocks an account instead of locking it.
  - Why it is wrong: The option -l stands for 'lock', but some learners confuse it with 'unlock'. Actually, -u is for unlock.
  - Fix: Remember: l = lock, u = unlock. Just like in L and U in the alphabet, L comes before U, so lock comes before unlock.
- **Mistake:** Running passwd without being root and assuming you can change another user's password.
  - Why it is wrong: Only the root user can change another user's password. A standard user can only change their own password after providing their current one.
  - Fix: Use sudo passwd username to change another user's password if you have sudo privileges, or log in as root.
- **Mistake:** Believing passwd -d deletes the user account.
  - Why it is wrong: passwd -d removes the password hash from /etc/shadow, allowing login without a password. It does not delete the user account.
  - Fix: To delete a user account, use userdel -r username. Use passwd -d only for service accounts that need no-password login.
- **Mistake:** Thinking that passwd encrypts the password in /etc/passwd.
  - Why it is wrong: On modern systems, password hashes are stored in /etc/shadow, not in /etc/passwd. /etc/passwd contains an 'x' in the password field to indicate shadow passwords are in use.
  - Fix: Check /etc/shadow (with root) to see password hashes. The /etc/passwd file should never contain actual password hashes on a secure system.
- **Mistake:** Assuming passwd -S output shows the actual password hash.
  - Why it is wrong: passwd -S shows account status (locked/unlocked), last change date, and aging parameters. It does not display the password hash for security reasons.
  - Fix: Use cat /etc/shadow | grep username to see the hash, but only with root privileges and with caution.
- **Mistake:** Using passwd interactively in a script without considering security.
  - Why it is wrong: Calling passwd in a script with the password passed as an argument (e.g., echo 'password' | passwd --stdin) may expose the password in process lists or log files.
  - Fix: Use chpasswd with input from a secure file, or use expect scripts, or use the --stdin option carefully with appropriate file permissions.

## Exam trap

{"trap":"Confusing passwd -e with passwd -x. Both change password policy but in different ways.","why_learners_choose_it":"Learners see both options relate to expiration and may assume they do the same thing or that -e means 'expire after x days'. They misread the 'e' as 'expiry period' instead of 'expire now'.","how_to_avoid_it":"Remember: passwd -e forces an immediate expiration, so the user must change password on next login. passwd -x N sets the maximum number of days the password is valid. Think of -e as 'expire immediately' and -x as 'maximum expiry period'."}

## Commonly confused with

- **passwd vs chage:** chage is used specifically for viewing and changing password aging information (last change, min days, max days, warning, inactivity). passwd can also set some of these aging values (like -n, -x, -w, -i), but chage is more specialized and offers more detailed control, including the ability to set an exact expiration date. (Example: Use chage -l username to view all aging info. Use chage -M 90 username to set max days, which is equivalent to passwd -x 90 username.)
- **passwd vs usermod:** usermod is a command to modify user account properties such as the home directory, UID, shell, group memberships, and account expiry date (usermod -e). passwd only deals with authentication tokens and password aging. They are complementary but not interchangeable. (Example: To lock a user account immediately, you can use both usermod -L username or passwd -l username. However, usermod -L places an exclamation mark at the beginning of the password hash, while passwd -l does the same. In practice, they are similar for locking.)
- **passwd vs pwconv:** pwconv is a tool that converts from traditional /etc/passwd password storage to shadow passwords by moving hashes to /etc/shadow. It is not for changing user passwords. It is used during system setup or migration. passwd is for everyday password changes. (Example: If you accidentally remove /etc/shadow, you can run pwconv to recreate it from /etc/passwd and /etc/login.defs. This is a system recovery task, not a routine operation.)

## Step-by-step breakdown

1. **Invoke the command** — The user types 'passwd' in a terminal. If run without arguments, it targets the current user. Optionally, a username can be specified (e.g., 'passwd jdoe') by root or sudo user. The system immediately checks if the user has proper permissions.
2. **Authentication (if non-root)** — If the user is not root, the command prompts for the current (old) password. The password input is not echoed to the screen. The system verifies the entered password against the stored hash in /etc/shadow. If it does not match, the command fails with 'Authentication failure'. Root is not prompted for the old password when changing another user's password.
3. **Password policy verification** — The user is prompted to enter a new password twice. The system, via PAM modules (pam_pwquality, pam_pwhistory), checks the new password against complexity rules: minimum length (often 8), character classes (uppercase, lowercase, digits, symbols), not being a dictionary word, not being based on the old password, and not being in the password history. If it fails, the command prints an error and returns to the prompt.
4. **Hashing and updating /etc/shadow** — If the new password passes all checks, the system generates a random salt and computes a cryptographic hash (SHA-512, yescrypt, or similar) of the new password combined with the salt. The hash is written to /etc/shadow in the field for the target user, along with the current date (as days since epoch) as the last change date. The old hash is overwritten.
5. **Aging fields update** — If options like -n (minimum days), -x (maximum days), -w (warn days), or -i (inactive days) were specified, those values are also written to the corresponding fields in /etc/shadow. For a normal passwd without options, the minimum and maximum aging values remain unchanged from their previous settings.
6. **Confirmation and exit** — The command outputs 'passwd: all authentication tokens updated successfully.' and exits with code 0. If any step fails (wrong old password, weak new password, file permission issue), the command outputs an appropriate error and exits with a non-zero code (typically 1 or 10). The /etc/shadow file is not partially updated; if an error occurs at any point, the old password remains intact.

## Practical mini-lesson

In a professional IT environment, the passwd command is rarely used in isolation. It is typically part of a larger user management workflow that includes useradd, groupadd, chage, and usermod. For example, a common task when provisioning a new server is to create user accounts and set initial passwords. A good practice is to generate a random password for each user and then force them to change it on first login using passwd -e. This prevents the administrator from knowing the user's final password. However, the initial password must be communicated securely, often via email or a secure portal. The command itself must be run with root privileges, so using sudo is standard.

Another important practical consideration is the password input method. Running passwd in an interactive shell is fine for one-off changes, but for bulk operations, you want to automate. Older versions of passwd supported the --stdin option, which allowed you to pipe the password via standard input: echo 'TempPass1' | passwd --stdin username. However, this is considered insecure because the password appears in the process table (visible via ps aux) and may be stored in shell history. Modern best practice is to use the chpasswd command, which reads a file with username:password pairs and handles them more securely. Alternatively, you can use a tool like makepasswd to generate random passwords and then feed them to chpasswd from a script.

What can go wrong? A very common issue is that passwd fails with 'Authentication token manipulation error'. This often indicates a permissions problem: the /etc/shadow file does not have the correct permissions (it should be 640 or 600, owned by root, group shadow). Another issue is a full filesystem, which prevents writing the new hash. Also, if the user's account is set to expire (via usermod -E or chage -E), the password change may still be allowed, but login will fail. The passwd -S command is the first tool for diagnosis: it shows if an account is locked (PS vs PL? Actually, the output includes fields: username, status (P for password, NP for no password, L for locked), last change date, min, max, warn, inactive. The status 'L' means the account is locked. The status 'P' means password is set but not locked. Understanding this output is crucial for troubleshooting.

Also, in environments using LDAP or AD, running passwd locally may not actually change the password on the identity server. Instead, it might try to change the local /etc/shadow, which is ignored for authentication. In such cases, the correct tool is the domain-specific command, such as smbpasswd for Samba, ldappasswd for LDAP, or kpasswd for Kerberos. You must understand the authentication context before using passwd. Finally, never share root passwords. Use sudo and individual user accounts. The passwd command is a basic but powerful tool, and mastering its nuances is expected of any competent Linux administrator.

## Commands

```
passwd
```
Changes the current user's password interactively.

```
passwd jdoe
```
Root changes the password for user jdoe. Root does not need the old password.

```
passwd -l jdoe
```
Locks the account of user jdoe by adding an exclamation mark to the password hash in /etc/shadow.

```
passwd -u jdoe
```
Unlocks the account of user jdoe, removing the exclamation mark from the password hash.

```
passwd -d jdoe
```
Deletes the password for user jdoe, allowing login without a password. Use with caution.

```
passwd -e jdoe
```
Expires the password for user jdoe, forcing a password change on next login.

```
passwd -S jdoe
```
Shows the password status for user jdoe: status (P=password set, L=locked, NP=no password), last change date, min/max/warn/inactive days.

```
passwd -x 90 jdoe
```
Sets the maximum password age to 90 days for user jdoe.

```
passwd -n 1 jdoe
```
Sets the minimum password age to 1 day, preventing immediate password changes.

```
passwd -w 10 jdoe
```
Sets the warning period to 10 days before the password expires.

```
passwd -i 5 jdoe
```
Sets the inactive period to 5 days after password expiration before the account is locked.

## Troubleshooting clues

- **passwd returns 'passwd: Authentication token manipulation error'** — symptom: undefined. undefined
- **passwd returns 'passwd: Authentication failure' when changing own password** — symptom: undefined. undefined
- **passwd returns 'BAD PASSWORD: it is based on a dictionary word'** — symptom: undefined. undefined
- **passwd returns 'passwd: password unchanged'** — symptom: undefined. undefined
- **passwd -S shows 'L' status but you thought the account was unlocked** — symptom: undefined. undefined

## Memory tip

For passwd options: 'l' = lock, 'u' = unlock, 'd' = delete password, 'e' = expire now, 'S' = status (all letters are unique). For aging: 'n' = minimum (think 'no change until'), 'x' = maximum (think 'eXpiry'), 'w' = warn, 'i' = inactive.

## FAQ

**What is the difference between passwd and chpasswd?**

passwd is for interactive password changes or one-off changes with options. chpasswd is designed for bulk password updates, reading a file with username:password pairs, making it more suitable for scripting.

**Can I use passwd to set a password for a user that is not in /etc/passwd?**

No, passwd only works for local user accounts defined in /etc/passwd and /etc/shadow. For users in LDAP or Active Directory, you must use the tools specific to those identity sources.

**What does passwd -S show?**

It shows the password status: whether a password is set, locked, or not set, along with the date of the last password change and the aging parameters (min, max, warn, inactive days).

**Why can't I see the password I am typing when using passwd?**

This is a security feature. The input is not echoed to prevent shoulder surfing or other observation of your password as you type it.

**Does passwd work on all Unix-like systems?**

The passwd command is standard on most Unix and Linux systems, but options may vary slightly between distributions and Unix variants (e.g., Solaris vs. Linux). Always check the man page for your specific system.

**Is it safe to use passwd with echo in a script?**

Generally no, because the password can be seen in the process list. Use chpasswd with a file that has restricted permissions, or use expect, instead.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/passwd
