How to Require Regular Password Changes

A server is only as strong as its weakest user, and a weak user will have a weak password. One way you can at least make passwords a little more secure is to require users to routinely change them. To do so, use the login.defs file to set the number of days until users are require to change their passwords. You can find and edit this file (as root) in /etc/login.defs

The following settings are found in this file:

  1. PASS_MAX_DAYS – This is the maximum number of days that a password can be used, after which it must be changed.
  2. PASS_MIN_DAYS – The minimum number of days allowed between password changes. This will keep users from being forced to change their passwords and then immediately changing them back.
  3. PASS_WARN_AGE – This refers to the number of days that the system will warn the user before the password actually expires.

An example is:




If PASS_MAX_DAYS is set to 99999, the system will never require a password change. If PASS_MIN_DAYS is set to 0, users can change their passwords whenever they want. Finally, if PASS_WARN_AGE is set to 0, the warning will only be given on the date of expiration, and if it is set to a negative number, a warning will never be given.