DEV Community

Cover image for Password Policies and Security in Linux 🐧
SAHIL
SAHIL

Posted on

Password Policies and Security in Linux 🐧

Field of Secrets: The /etc/shadow File πŸ•΅οΈβ€β™€οΈ

Ever wonder where your Linux password actually lives? Not in /etc/passwd. That file is for public consumption. Your real passwordβ€”or rather, its encrypted hashβ€”is locked down in a file called /etc/shadow. Only the root user can read it. It's the Fort Knox of your system. 🏰

Each line in /etc/shadow isn't just a password; it's a security profile. It's a string of nine fields separated by colons, each one a piece of your user's security puzzle:

  • Username: The user's name.
  • Encrypted Password: The hashed password. A ! or * means the account is disabled. 🚫
  • Last Change: When the password was last changed. πŸ“…
  • Min Days: The minimum number of days before a password can be changed again. No password hot-swapping allowed. ⏱️
  • Max Days: The maximum number of days the password is valid. After this, it must be changed. ⏳
  • Warning Days: The number of days a user is warned before their password expires. ⚠️
  • Inactive Days: How long a user has to change an expired password before the account is locked. πŸ›‘
  • Expiration Date: The date the account itself expires. πŸ’€
  • Reserved: Just a placeholder for now. 🀷

The chage Command: You're the Boss Now 😎

So, you've seen the fields. How do you actually control them? With a command that sounds like what it does: chage (change-age). This is your weapon for enforcing password policies on individual users. Think of it as a personal security drill sergeant. πŸ’‚β€β™€οΈ

Here are a few quick ways to wield it:

  • chage -l user1: List everything. See user1's entire password profile at a glance. πŸ“œ
  • chage -M 90 user1: Force user1 to change their password every 90 days. No excuses. πŸ—“οΈ
  • chage -W 14 user1: Make user1 start seeing warnings 14 days before their password expires. 🚨
  • chage -I 30 user1: If user1 is inactive for 30 days after their password expires, the account locks. Game over. ❌
  • chage -E 2026-01-01 user1: Set a hard expiration date for the account. Handy for temporary users. πŸ“…βž‘οΈπŸ—‘οΈ

The Global Blueprint: /etc/login.defs πŸ—οΈ

Setting policies for one user is cool, but what about the entire system? You don't want to run chage on every new user. That's where /etc/login.defs comes in. This file is the global blueprint for all new accounts. Any new user you create will inherit these rules by default. βœ…

Your must-know parameters here are:

  • PASS_MAX_DAYS: The system-wide maximum password age.
  • PASS_MIN_DAYS: The system-wide minimum password age.
  • PASS_WARN_AGE: The system-wide warning period.

By configuring these once, you're setting a baseline of security that applies to everyone. It's the ultimate set-it-and-forget-it security win. πŸ†


Final Thoughts: Secure Your Stack πŸ›‘οΈ

Don't let your Linux system be the low-hanging fruit for attackers. By understanding and actively managing /etc/shadow, wielding the chage command, and setting up solid global policies in /etc/login.defs, you're not just hoping for the bestβ€”you're actively enforcing it.

Now, go check your users' passwords. They're probably naked right now. πŸ§πŸ’¨

Top comments (0)