42.1.3.2.2. Password Aging

42.1.3.2.2. Password Aging

Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a specified period (usually 90 days), the user is prompted to create a new password. The theory behind this is that if a user is forced to change his password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down.

There are two primary programs used to specify password aging under Red Hat Enterprise Linux: the chage command or the graphical User Manager (system-config-users) application.

The -M option of the chage command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command: 

chage -M 90 <username>

In the above command, replace <username> with the name of the user. To disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years).

You can also use the chage command in interactive mode to modify multiple password aging and account details. Use the following command to enter interactive mode: 

chage <username>

The following is a sample interactive session using this command: 

 [root@interch-dev1 ~]# chage davido Changing the aging information for davido Enter the new value, or press ENTER for the default Minimum Password Age [0]: 10 Maximum Password Age [99999]: 90 Last Password Change (YYYY-MM-DD) [2006-08-18]: Password Expiration Warning [7]: Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [1969-12-31]: [root@interch-dev1 ~]#

Refer to the man page for chage for more information on the available options.

You can also use the graphical User Manager application to create password aging policies, as follows. Note: you need Administrator privileges to perform this procedure.

  1. Click the System menu on the Panel, point to Administration and then click Users and Groups to display the User Manager. Alternatively, type the command system-config-users at a shell prompt.

  2. Click the Users tab, and select the required user in the list of users.

  3. Click Properties on the toolbar to display the User Properties dialog box (or choose Properties on the File menu).

  4. Click the Password Info tab, and select the check box for Enable password expiration.

  5. Enter the required value in the Days before change required field, and click OK.

Specifying password aging options

Password Info pane illustration.

Figure 42.1. Specifying password aging options

For more information about user and group configuration (including instructions on forcing first time passwords), refer to Chapter 32, Users and Groups.