As part of your routine security policy, you would like to periodically be able to easily change batches of passwords. Or your network may have been compromised, so you want to change all the passwords yourself and not leave it up to your users.

Use the mass_passwd script. It lets you select batches of users in three different ways:

# mass_passwd
username1
username2
…
# mass_passwd -g
groupname
groupname
…
# mass_passwd -a

The first method uses a simple space-delimited list of logins.

The second method changes the passwords of users belonging to the named groups.

The third method changes every password in /etc/passwd.

Then mass_passwd generates a separate file for each user, containing their new login names and passwords and whatever instructions or policies you choose to include. This is designed to make it easy to print a separate instruction sheet for each user.

You may do a dry run with the -n flag:

# ./mass_passwd -v -g -n usergroup
generating password for dawns…..teivuphu
generating password for nikitah…..kohfahsh
2 password(s) reset – see /root/mass_passwds/mass_passwd.log

No passwords are changed; this just lets you test-drive your options before committing to any changes.

Resetting a password is the solution to the perennial “I forgot my password” problem; many Linux administrators think it’s a good idea to “expire” passwords, forcing users to change them periodically.
To reset or change a password use:

# passwd aborg

Users can also change their own passwords:

aborg@server04:~$ passwd

This command sets aborg’s password to expire after six months, with five days’ warning:

# passwd -x 180 -w 5 -i 1 aborg

To view a user’s password settings, use:

# passwd -S option

aborg P 02/18/2004 0 10 5 1

Passwords can consist of numbers, letters, and punctuation marks, and they are case-sensitive. Don’t use spaces or function keys. Strong passwords work best—this means no names, no dictionary words, no birthdays or addresses. The best way to keep track of passwords is write them down and keep them in a safe place. Most people, if they can’t remember all of their passwords, end up choosing weak, easily guessable passwords, or leaving them in obvious, insecure places (such as on a note stuck to the monitor).

Linux passwords are not designed to be recoverable. If a password is lost, the user must depend on the benevolence of the superuser to create a new one.