Password aging, part 1

By , ITworld |  Open Source, password, Unix

The username and password are set and the date on which the password was last changed has been recorded, but no password aging is taking effect.

If it looks like this, the account is locked.


Various other combinations of the shadow file are possible, but the min, max and warn fields will only make sense if the lastchg field is set. For example:


User must keep a password for 60 days once he changes it, but no password changes are required.


User must change his password every 60 days, but can change it at any time (including immediately changing it back to its previous value).

Choosing Min and Max Settings

If you want to turn on password aging, the combination of minimum (must keep) and maximum (invalid after) values enforces a practical password update scheme. Suggested settings depend in part on the security stance of your particular network. However, general consensus seems to be that passwords, once changed, should be kept for a month (min=30) and that passwords should be changed every three to six months (from max=90 to max=180).

Once a user has used a password for 30 days, he's probably not going to reset it back to its previous value. By then he should know it well enough to continue using it.

Changing a password more often than every month or so would probably make it hard for users to remember their passwords without writing them down.

The down side of min values is that this setting doesn't allow someone to change his password if he believes it has been compromised when the compromise happens within the "min" period. Whatever system you adopt should, therefore, make it painless for a user to request that his password be reset whenever he believes it may no longer be secure.

Wrap Up

We hear a lot about the tradeoff between security and convenience as it permeates so many of our decisions about how we manage our networks but, when it comes to passwords, we must be careful not to cross the line between securing logins and preventing them altogether. Locking our users too easily out of their accounts can reduce security as easily as enhance it. Using password aging with the proper settings can limit the risk that security constraints turn into unintended denials of service.

Next week, we'll look at how to introduce password aging on a system where users have never had their passwords expire.

See the whole series:

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question