passwd — Control Authentication Lifecycle
By the end of this lesson, you will be able to reset user credentials, lock or unlock accounts safely, enforce password-aging policy, and validate status for WordPress admin and deploy users.
Overview
passwd manages account passwords and password-aging metadata stored in /etc/shadow. It is a core command for onboarding, incident response, and offboarding on Linux servers.
On a WordPress VPS, passwd helps you control who can authenticate, when passwords expire, and how quickly compromised access can be revoked.
- Core Function: Set, lock, unlock, expire, and inspect account password state.
- Primary Benefit: Fast account hardening without deleting user identities.
- Where to Use: Admin account setup, contractor offboarding, compliance policy enforcement.
- Workflow:
passwd [OPTIONS] [USERNAME].
passwd is part of the shadow password utilities and ships with Ubuntu by default.
System Check
Ensure passwd is available and check your build:
which passwd # Expected: /usr/bin/passwd
passwd --help # Shows supported options on this host
Syntax & Expression Rules
The command follows a logical structure that reads almost like a sentence:
passwd [OPTIONS] [USERNAME]
[OPTIONS]: Password state modifiers such as-l,-u,-e,-x, and-S.[USERNAME]: Optional target account; if omitted, your current user's password is changed.(sudo context): Required when changing other users or account policy values.
Password Control Flags
| Expression | Description | Example Syntax | ⭐ Rating |
|---|---|---|---|
| :-- | :-- | :-- | :-- |
(no flag) | Change password interactively | passwd | ⭐⭐⭐⭐⭐ |
-l | Lock account password login | sudo passwd -l wpdev | ⭐⭐⭐⭐⭐ |
-u | Unlock previously locked password login | sudo passwd -u wpdev | ⭐⭐⭐⭐⭐ |
-e | Expire password immediately | sudo passwd -e wpadmin | ⭐⭐⭐⭐ |
-d | Delete password hash (key-based workflows only) | sudo passwd -d deployer | ⭐⭐⭐ |
-S | Show password status and aging values | sudo passwd -S wpadmin | ⭐⭐⭐⭐ |
-n DAYS | Minimum days between password changes | sudo passwd -n 2 wpadmin | ⭐⭐⭐ |
-x DAYS | Maximum password age | sudo passwd -x 90 wpadmin | ⭐⭐⭐⭐ |
-w DAYS | Warning days before expiry | sudo passwd -w 7 wpadmin | ⭐⭐⭐⭐ |
-i DAYS | Inactive days after expiry before lock | sudo passwd -i 14 wpadmin | ⭐⭐⭐ |
Security Operations
| Action | Description | WordPress/VPS Use Case | Example Syntax |
|---|---|---|---|
| :-- | :-- | :-- | :-- |
| Rotate compromised credential | Reset user password immediately | Incident response after leaked password | sudo passwd wpadmin |
| Suspend account quickly | Lock without deleting user/files | Temporary suspension of contractor | sudo passwd -l contractor1 |
| Force next-login reset | Require user-defined new password | New admin onboarding | sudo passwd -e siteops |
| Enforce policy window | Apply max age + warning period | Compliance baseline for admin accounts | sudo passwd -x 90 -w 7 wpadmin |
Practical Use Cases
1. Change your current password
passwd
Expected output:
Changing password for user wpdev.
Current password:
New password:
Retype new password:
passwd: password updated successfully
Explanation: Updates current account credentials interactively. Use case: Routine credential rotation.
2. Reset another user's password as admin
sudo passwd wpadmin
Expected output:
New password:
Retype new password:
passwd: password updated successfully
Explanation: Assigns a new password for target account. Use case: Helpdesk reset for locked-out maintainer.
3. Lock a user account quickly
sudo passwd -l contractor1
Expected output:
passwd: password expiry information changed.
Explanation: Prevents password-based login by locking hash. Use case: Immediate access suspension at contract end.
4. Unlock a previously locked account
sudo passwd -u contractor1
Expected output:
passwd: password expiry information changed.
Explanation: Restores password-based login capability. Use case: Re-enable account after approval.
5. Force password change at next login
sudo passwd -e siteops
Expected output:
passwd: password expiry information changed.
Explanation: Marks password as expired immediately. Use case: Ensure first-login reset for newly provisioned staff.
6. Apply 90-day expiry and 7-day warning
sudo passwd -x 90 -w 7 wpadmin
Expected output:
passwd: password expiry information changed.
Explanation: Enforces aging policy. Use case: Security baseline for privileged users.
7. Inspect password status and policy values
sudo passwd -S wpadmin
Expected output:
wpadmin P 2026-02-22 0 90 7 -1
Explanation: Prints state (P active, L locked) and aging metadata.
Use case: Compliance audit evidence.
8. Prepare key-only deployment account
sudo passwd -d deployer
Expected output:
passwd: password expiry information changed.
Explanation: Removes local password hash; account should rely on SSH keys. Use case: Reduce brute-force risk for automation identities.
9. Set inactive lock window after expiry
sudo passwd -x 60 -w 7 -i 14 stageadmin
Expected output:
passwd: password expiry information changed.
Explanation: Locks account after 14 days of inactivity following password expiry. Use case: Tighten access lifecycle for temporary admin accounts.
Common Mistakes & Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| :-- | :-- | :-- |
Authentication token manipulation error | Missing privilege or filesystem issue | Use sudo passwd USER and verify /etc is writable |
| User still accesses server after lock | SSH key auth still enabled | Remove or rotate keys in /home/USER/.ssh/authorized_keys and review sshd_config |
passwd -u fails to unlock | Account has no valid password hash | Set new password directly: sudo passwd USER |
| Policy values not what you expected | Previous settings remain on account | Verify with sudo passwd -S USER and reapply full policy flags |
| Frequent forced resets for service account | Aging policy applied to non-human user | Exempt service users or switch to key-only auth with clear documentation |
Best Practices
- Use personal accounts only: Never share one admin password across multiple people.
- Rotate privileged credentials regularly: Apply strict expiry for
sudo-capable users. - Lock before delete in emergencies:
passwd -lis safer for immediate containment. - Treat
passwd -das advanced: Use only when key-based login controls are already enforced. - Audit policy drift monthly: Review
passwd -Sorchage -lfor admin accounts.
Hands-On Practice
Task: Enforce Password Policy for WordPress Admins
- Apply policy to
wpadminwithsudo passwd -x 90 -w 7 -i 14 wpadmin. - Force immediate rotation with
sudo passwd -e wpadmin, then verify usingsudo passwd -S wpadmin. - Challenge: Lock
contractor1, verify lock status, then remove its SSH key to guarantee full access revocation.
Connection to Other Concepts
- adduser: Creates accounts before you assign password policy.
- su: Switching users is safer when account credentials are tightly managed.
- sudo: Privilege escalation policy depends on well-controlled admin credentials.
- userdel: Final offboarding step after lock/expiry lifecycle.
Visual Learning Diagram
What's Next: Proceed to su — Switch User Context Securely to understand controlled user context switching during admin tasks.