Password aging forces the user to change passwords after a system administrator-specified period of time. Password aging can also force a user to keep a password for a certain number of weeks before changing it.
Sample entry from /etc/passwd with password aging installed:
Note the comma in the encrypted password field. The characters after
the comma are used by the password aging mechanism.
The password aging characters from above example are:
The four characters are interpreted as follows:
|1||Maximum number of weeks a password can be used without changing.|
|2||Minimum number of weeks a password must be used before changing.|
|3&4||Last time password was changed, in number of weeks since 1970.|
- If the first and second characters are set to ‘..’ the user will be forced to change his/her passwd the next time he/she logs in. The passwd program will then remove the passwd aging characters, and the user will not be subjected to password aging requirements again.
- If the third and fourth characters are set to ‘..’ the user will be forced to change his/her passwd the next time he/she logs in. Password aging will then occur as defined by the first and second characters.
- If the first character (MAX) is less than the second character (MIN), the user is not allowed to change his/her password. Only root can change that users password.
It should also be noted that the su command does not check the password
aging data. An account with an expired password can be su’d to
without being forced to change the password.
Chart of Password Aging Codes
|Password Aging Codes|