Edit the file /etc/login.defs to specify password expiration settings for new accounts.Add or correct the following lines:
PASS_MAX_DAYS 60
PASS_MIN_DAYS 7
PASS_MIN_LEN 14
PASS_WARN_AGE 7

For each existing human user USER , modify the current expiration settings to match these:
# chage -M 60 -m 7 -W 7 USER

Users should be forced to change their passwords, in order to decrease the utility of compromised passwords. However, the need to change passwords often should be balanced against the risk that users will reuse or write down passwords if forced to change them too often. Forcing password changes every 90-360 days, depending on the environment, is recommended. Set the appropriate value as PASS MAX DAYS and apply it to existing accounts with the -M flag.

The PASS MIN DAYS (-m) setting prevents password changes for 7 days after the first change, to discourage password cycling. If you use this setting, train users to contact an administrator for an emergency password change in case a new password becomes compromised.

The PASS WARN AGE (-W) setting gives users 7 days of warnings at login time that their passwords are about to expire.

The PASS MIN LEN setting, which controls minimum password length, should be set to whatever is required by your site or organization security policy.

Suggested Posts:

Leave a Reply