Linux Commands

How to Use passwd ––expire Command to Force User to Change Password on Login on Linux

As a server administrator user management is one of the crucial tasks. User management includes adding or removing users and managing their login credentials. From a security point of view, users need to change their passwords regularly. But in the case of a security situation, the server administrator can force users to change their passwords immediately after the login. For that Linux server administrator uses the passwdcommand with e or --expire option.

In this tutorial, I will explore what passwd --expire command is and how to use it in Linux.

Note: It is not advisable to edit /etc/passwd, or /etc/shadow files without the required expertise, because if you make any syntax error then you may lose login or root privileges.

What is passwd ––expire Command

Before understanding the passwd --expire command, we must have an idea about the passwd command-line utility. The passwd command is used to change the password of any account; a normal user can change his/her password while the server administrator or super user can change any user’s password. Moreover, the passwd command can also be used to set the validity period of the password.

Like other commands, the passwd command also has many options to manage passwords. One of those options is expire option. The expire option immediately expires the password of any user and forces them to change their password on the next login.


passwd --expire [username]

The --expire can be replaced with -e option:

passwd -e [username]

Let’s understand how to use passwd --expire command on Linux.

How to use passwd ––expire Command

To force any user to change his/her password on login passwd --expire command is used with the username of that particular account.

sudo passwd --expire sami

I am changing the [username] to my own username sami; replace it with the desired user account username.

Upon running this command, you will get a prompt that says the password expiry information changed for the user sami.

When the user logs in next time the system will force the user to change the password.

On setting the same old password you will get a prompt that the password is unchanged.

On setting the strong password the user can use the account.

On the display manager (graphical login interface), the user will also be prompted for the password change.

How to Check Password Expiry on Linux

By default, on Linux distributions, the user password expires after 99999 days and begins warning the user 7 days before expiration. To check it, execute the following command in the terminal.

sudo chage --list [username]

You can also access this information through /etc/login.defs file.

sudo cat /etc/login.defs

Other Methods to Set Expiry to the User’s Password

There are a couple of other methods as well, that would help in forcing the user to change the password immediately.

i. Using chage Command

The chage command is much more useful for user management. It gives more account information compared to passwd command. It can also be used to set the immediate expiry of the user’s password. For example:

sudo chage --lastday 0 [username]

In the above command the --lastday option can also be signified with -d only.

sudo chage -d 0 [username]

The 0 shows the number of days, which means that the password change is required immediately after login.

For example, if you want to expire the password of user sami with chage tool, use the command mentioned below:

sudo chage --lastday 0 sami

Now login and the user will be prompted to change the password immediately.

Note that after entering the old credentials the user will prompt for the password change.

ii. Modifying the /etc/shadow File

The shadow file contains the user passwords and can only be accessed by the root user. It can also be used to set the expiry of the user’s password. This method is for advanced administrators.

Access the file using:

sudo nano /etc/shadow

Locate the user, in my case it is sami:

Well, it is hard to read, but the last four fields are of our concern. The following image dissects the line.

We need to modify the parameter number 3, which is the last password change date; simply make it 0. So, when the user (sami) next time logs in, he will prompt with a password change message.

How to Expire Password of Multiple Users in Linux

To set password expires for multiple users you have to go one by one, since using the passwd --expire does not apply to multiple users at a time.

sudo passwd --expire sam1

sudo passwd --expire sam2

Or you can create a bash script and mention the usernames to apply the password expiration to multiple users.


for users in sam1 sam2


passwd --expire "$users"


echo "Password expiration has been applied to the mentioned users."

In the above Bash script is looping through the mentioned usernames sam1 and sam2 and applying the passwd --expire command to each user. Finally, it displays the message.

Save the script and then make the file executable, using:

sudo chmod +x [script_name].sh

Execute the script using

sudo ./[script_name].sh

Replace the [script_name] with the original script file name.

How to Expire Password of All Users in Linux

As a system administrator, you may want to expire passwords of the all the users. To do that run the below-given script:


for all_users in $(getent passwd {1001..60000} | cut -d: -f1); do

  passwd --expire "$all_users"


echo "Password expiration has been applied to all users."

The above script is looping through the /etc/passwd file and storing results in the all_users variable. The getent tool extracts the entries while {1001..60000} signifies the real user’s IDs in the /etc/passwd file which starts from 1001. The cut tool extracts the first entries from the output of the getent command delimited by colon (:).

After that passwd --expire command is applied to all the users. When the process is completed the echo command will execute with a message.

To execute the script first provide is necessary permissions to make it executable, using the below-given command:

sudo chmod +x [script_name].sh

To execute the file, use:

sudo ./[script_name].sh

Ensure the Bash script file is in the current working directory and replace [script_name] with the original name of the script for example in my case it is the command will be sudo ./


The passwd --expire command is used by system admins to set the password of any user to expire immediately. It is in most cases system admins usually do this for security reasons or to force any new user to change the default password. Password expiry can also be set using other methods like chage command or modifying the /etc/shadow file.

About the author

Sam U

I am a professional graphics designer with over 6 years of experience. Currently doing research in virtual reality, augmented reality and mixed reality.
I hardly watch movies but love to read tech related books and articles.