How to Choose a Strong Password
The computer password was born from necessity. With the advent of multiuser time-sharing computer systems, the importance of separating and protecting people’s data became apparent, and the password solved that problem.
Passwords are still the most common form of account authentication. Two-factor and multifactor authentication enhances password protection, and biometric authentication provides an alternative method of identification. However, the good old password is still with us and will be for a long time to come. This means you need to know how best to create and use them. Some of the older practices are no longer valid.
Here are some basic password rules:
Don’t use passwords at all: Use passphrases instead. Three or four unrelated words connected by punctuation, symbols, or numbers make it much harder to crack than a string of gobbledygook or a password with vowels swapped out for numbers. Don’t re-use passwords: Don’t do this on the same or different systems. Don’t share your passwords: Passwords are private. Don’t share them with others. Don’t base passwords on personally significant information: Don’t use family members’ names, sports teams, favorite bands, or anything else that could be socially engineered or deduced from your social media. Don’t use pattern passwords: Don’t base passwords on patterns or positions of keys, such as qwerty, 1q2w3e, and so on.
Password expiration policies are no longer best practice. If you adopt strong, secure passphrases, you’ll only have to change them if you suspect they’ve been compromised. Regular password changes inadvertently promote poor password choices because many people use a base password and just add a date or digit to the end of it.
The National Institute of Standards and Technology has written extensively on passwords and user identification and authentication. Their comments are publicly available in Special Publication 800-63-3: Digital Authentication Guidelines.
The passwd File
Historically, Unix-like operating systems stored passwords, along with other information regarding each account, in the “/etc/passwd” file. Today, the “/etc/passwd” file still holds account information, but the encrypted passwords are held in the “/etc/shadow” file, which has restricted access. By contrast, anyone can look at the “/etc/passwd” file.
To peek inside the “/etc/passwd” file, type this command:
The contents of the file are displayed. Let’s look at the details for this account called “mary.”
Each line represents a single account (or a program that has a “user” account). There are the following seven colon-delimited fields:
User name: The login name for the account. Password: An “x” indicates the password is stored in the /etc/shadow file. User ID: The user identifier for this account. Group ID: The group identifier for this account. GECOS: This stands for General Electric Comprehensive Operating Supervisor. Today, the GECOS field holds a set of comma-delimited information about an account. This can include items like a person’s full name, room number, or office and home phone numbers. Home: The path to the account’s home directory. Shell: Started when the person logs in to the computer.
Empty fields are represented by a colon.
Incidentally, the finger command pulls its information from the GECOS field.
RELATED: How to Use the finger Command on Linux
The shadow File
To look inside the “/etc/shadow” file, you must use sudo:
The file is displayed. For every entry in the “/etc/passwd” file, there should be a matching entry in the “/etc/shadow” file.
Each line represents a single account, and there are nine colon-delimited fields:
User name: The login name for the account. Encrypted password: The encrypted password for the account. Last change: The date on which the password was last changed. Minimum Days: The minimum number of days required between password changes. The person has to wait this number of days before he can change his password. If this field contains a zero, he can change his password as often as he likes. Maximum Days: The maximum number of days required between password changes. Typically, this field contains a very large number. The value set for “mary” is 99,999 days, which is over 27 years. Alert Days: The number of days in advance of a password expiration date to display a reminder message. Reset Lock-out: After a password expires, the system waits this number of days (a grace period) before it disables the account. Account expiration date: The date on which the owner of the account will no longer be able to log in. If this field is blank, the account never expires. Reserve field: A blank field for possible future use.
Empty fields are represented by a colon.
Getting the “Last change” Field as a Date
The Unix epoch started on January 1, 1970. The value for the “Last change” field is 18,209. This is the number of days after January 1, 1970, the password for the account “mary” was changed.
Use this command to see the “Last change” value as a date:
The date is shown as midnight on the day the password was last changed. In this example, it was November 9, 2019.
The passwd Command
You use the passwd command to change your password, and—if you have sudo privileges—the passwords of others.
To change your password, use the passwd command with no parameters:
You must type your current password and your new one twice.
Changing Someone Else’s Password
To change the password of another account, you must use sudo, and provide the name of the account:
You must type your password to verify you have superuser privileges. Type the new password for the account, and then type it again to confirm.
Forcing a Password Change
To force someone to change her password the next time she logs in, use the -e (expire) option:
You’re told the password expiration date has been changed.
When the owner of the account “mary” next logs in, she’ll have to change her password:
Lock an Account
To lock an account, type passwd with the -l (lock) option:
You’re told the password expiration date was changed.
The owner of the account will no longer be able to log in to the computer with her password. To unlock the account, use the -u (unlock) option:
Again, you’re informed that the password expiry data was changed:
Again, the owner of the account will no longer be able to log into the computer with her password. However, she could still log in with an authentication method that doesn’t require her password, such as SSH keys.
If you really want to lock someone out of the computer, you need to expire the account.
RELATED: How to Create and Install SSH Keys From the Linux Shell
The chage Command
No, there isn’t an “n” in chage. It stands for “change age.” You can use the chage command to set an expiration date for an entire account.
Let’s take a look at the current settings for the “mary” account, with the -l (list) option:
The expiration date for the account is set to “never.”
To change the expiration date, use the -E (expiry) option. If you set it to zero, this is interpreted as “zero days from the Unix epoch,” i.e., January 1, 1970.
Type the following:
Recheck the account expiration date:
Because the expiration date is in the past, this account is now truly locked, regardless of any authentication method the owner might use.
To reinstate the account, use the same command with -1 as the numerical parameter:
Type the following to double-check:
The account expiration date is reset to “never.”
Changing an Account Password in GNOME
Ubuntu and many other Linux distributions use GNOME as the default desktop environment. You can use the “Settings” dialog to change the password for an account.
To do so, in the system menu, click the Settings icon.
In the Settings dialog, click “Details” in the pane on the left, and then click “Users.”
Click the account for which you want to change the password; in this example, we’ll select “Mary Quinn.” Click the account, and then click “Unlock.”
You’re prompted for your password. After you’re authenticated, “Mary’s” details become editable. Click the “Password” field.
In the “Change Password” dialog, click the “Set a Password Now” radio button.
Type the new password in the “New Password” and “Verify New Password” fields.
If the password entries match, the “Change” button turns green; click it to save the new password.
In other desktop environments, the account tools will be similar to those in GNOME.
Stay Safe, Stay Secure
For 60 years, the password has been an essential part of online account security, and it isn’t going away any time soon.
This is why it’s important to administer them wisely. If you understand the mechanisms of passwords in Linux and adopt the best password practices, you’ll keep your system secure.