passwd -- change login, or modem (dialup shell) password


passwd [ -m ] [ -dluf ] [ -n minimum ] [ -x expiration ] [ -r retries ] [ name ]

passwd -s [ -a ] [ name ]


The passwd command is used by ordinary users to: In addition, system administrators can use the passwd command to: A user who has the auth authorization is considered to be a system administrator. A user must have the passwd authorization to be able to change the password of any account.

Choosing a good password

Your login password is one of the most important defenses against security breaches. If a malicious person cannot log into a system, it is much harder for that person to steal or tamper with your data. Hence, by choosing a hard-to-guess password (either of your own invention or one suggested by the system), regularly changing it, and keeping it secret, you can protect your system.

In general, a password should:

Passwords should not: Spelling a word backwards or appending a digit to a word do not turn a poor password choice into a ``good'' password. However, taking two or three unrelated words and combining them with some non-letters is a reasonable way of choosing an easy-to-remember but hard-to-crack password. On SCO OpenServer, passwords can be up to 80 characters long, so nonsensical rhymes (for example) can also be used as passwords.

User login passwords

When passwd is used to change or delete the password for user name, the old password (if any) is prompted for. (The password is not displayed as it is being entered.) System administrators are not prompted for the old password unless they are attempting to change their own password; the super user is never prompted for the old password. The passwd command can only be used to change or delete the password for user name by system administrators and the user authorized to change user name's password. Normally, users are authorized to change their own password.

Depending on how the system administrator has configured the account, the user may or may not be able to choose their own password, or may have a password chosen for them. If they can neither choose their own password nor have passwords generated for them, the password cannot be changed. If the user is able to do both, passwd asks which should be done.

A password is considered valid until it has expired. Passwords expire if they are not changed or deleted before the expiration time has passed. Once expired, the user is required to change (not delete) their password the next time they log in. If a user fails to do so before the password's lifetime has passed, the password is considered dead and the user's account is locked.

Once locked, the user may not log in, may not be su(C)'ed to, and no at(C), batch(C), or cron(C) jobs for that user may run. Only a system administrator can unlock a user with a dead password; a new password must be assigned.

To discourage re-use of the same password, the system administrator may set a minimum change time. After changing or deleting a password, the password may not be changed again (even by a system administrator) until at least that much time has elapsed.

Passwords may be deleted (or changed to be empty) only if the user is authorized to not have a password. Users without passwords are not recommended. (An empty password is prompted for when logging in, but a deleted password is not prompted for at login.)

If a password is being changed and the user has elected (or is forced) to choose a system-generated password, each suggested password is printed along with a hyphenated spelling that suggests how the password could be pronounced. To accept a suggested password, enter the password; if entered correctly, passwd will prompt for the suggested password to be entered again as confirmation. To reject a suggestion, just enter <Return>; to abort the change altogether, either enter ``quit'' or interrupt passwd.

If a password is being changed and the user has elected (or is forced) to assign a password of their own choosing, the new password is prompted for twice. It is checked for being ``obvious'' after the first prompt, and if deemed to be acceptable is prompted for again. If the proposed password is successfully entered a second time, it becomes the new password for user name.

Both system-generated and self-chosen passwords are checked for being easy to guess. See the section on ``Checking for obvious passwords'' (below) for a description of the checks.

When dealing with a user's login password, the following options are recognized:

Delete the password. A password may be deleted only if the user is authorized to not have a password. System administrators must always specify name; otherwise, the name of the user who logged in is used.

Force user name to change their password the next time they log in. This option may be specified only by system administrators, and only when the user's password is not being changed or deleted; name must be explicitly given.

Lock user name out of the system by applying an administrative lock; only system administrators may do this and they must specify name.

Remove any administrative lock applied to user name; only system administrators may do this and they must specify name.

-n minimum
Set the amount of time which must elapse between password changes for user name to minimum days. Only system administrators may do this and they must specify name.

-x expiration
Set the amount of time which may elapse before the password of user name expires to expiration days. Only system administrators may do this and they must specify name. Once a password has expired, the user must change it the next time they log in.

-r retries
Up to retries attempts may be made to choose a new password for user name.

Report the password attributes of user name (or, if the -a option is given, of all users). The format of the report is: name status mm/dd/yyyy minimum expiration where status is ``PS'' if the user has a password, ``LK'' if the user is administratively locked, or ``NP'' when the user does not have a password. The date of the last successful password change (or deletion) is shown as mm/dd/yyyy. If neither name nor -a is specified, the name of the user who logged in is assumed. Only system administrators can examine the attributes of users other than themselves.
If no -d, -f, -l, -u, or -s option is specified, the password for user name is changed as described above. If no name is given and no option which requires name is given, then the name of the user who logged in is used. Only the -a option may be specified with the -s option.

Modem (dialup shell) passwords

When a user whose login shell is listed in /etc/d_passwd with a (encrypted) password logs in on a terminal line listed in /etc/dialups, the password in /etc/d_passwd must be supplied before the login succeeds. The -m option to password allows system administrators to change, delete, or invalidate (lock) the passwords for login shell name:

Delete the password.

Invalidate (``lock'') the password by arranging so that no matter what the user enters, it will not be a valid password. Doing so causes the old password to be lost.

-r retries
Up to retries attempts may be made to choose a new password.
The name must always be specified. If name begins with a slash (/) then only the password for the login shell which completely matches name is changed. Otherwise, the password for every shell listed in /etc/d_passwd whose basename is name is changed.

This does not mean that only one line is needed per shell in /etc/d_passwd. For example, to have the option of using either /bin/csh or /usr/local/csh, each must be specified on a separate line in /etc/d_passwd. However, the dialup passwd for both shells can be changed at once with the command:

passwd -m csh

If neither the -d nor -l option is specified, the password is changed. The new password is prompted for twice, and must pass checks similar to those for login passwords (see below).

Checking for obvious passwords

To discourage poor password choices, various checks are applied to reject unacceptable passwords. The checks which are applied depend on the type of password being checked and the system's configuration. Most of the checks for being easy to guess are configurable; see goodpw(ADM).

The check procedure is as follows (a password is restricted if, ``checked for obviousness'' is set in the Password Restrictions selection of the Account manager):

User login passwords only: the new password must not be the same as the old password. The password must not be empty (or be deleted) unless the user is not required to have a password.

All other passwords: the new and old password can be the same. Empty passwords are treated as deleted passwords and are always acceptable.

All (non-empty) passwords: if the password is not empty, it must be at least PASSLENGTH characters long (see below).

All (non-empty) passwords: if the goodpw utility can be run, it is used to perform all further checks. If the file CHECKDIR exists (and can be read by goodpw) that file is used to modify the default settings in /etc/default/goodpw. The CHECKDIR is specified by CHECKDIR in /etc/default/passwd and type is the kind of password being checked (user, or modem). The strength is the degree of checking to be done: secure if the user is restricted (or, for all other password types, if the system default is restricted); otherwise weak.

When goodpw cannot be run (all passwords): if the password is not empty, it must contain at least one character which is not a lowercase letter (but must not consist solely of digits).

When goodpw cannot be run (user login passwords only): finally, for user login passwords which are restricted, the password must not be a palindrome, any user's login name, the name of any group, or a correctly spelled English word (American spelling); see acceptable_password(S).
System-generated passwords are not checked unless the user is restricted (see above), in which case the generated password must pass the checks in step 5 before it is suggested to the user. Generated passwords are never checked by goodpw.


Several parameters may be specified in /etc/default/passwd. The various settings, and their default values are:

The minimum length of a password. The maximum length of a password is 80. Specifying PASSLENGTH overrides the computed value based on the lifetime of the password, delay between login attempts (and other variables -- see passlen(S)). To use the computed value set PASSLENGTH to an asterisk (*).

The maximum number of repeated attempts to change a password that has been rejected. If RETRIES is less than 1, then 1 is assumed.

If set to YES, a rejected password is added to the stop-list passed to goodpw. This prevents simplistic modifications of a rejected password from being accepted on a later attempt.

The contents of this file are shown once (before the new password is prompted for) and should describe the the difference between acceptable and unacceptable passwords.

The contents of this file are shown each time a password is rejected, and should be a (short) reminder of what are and are not acceptable passwords.

A hierarchy of additional checks goodpw should perform, based on password type and restrictions (see above).

Defines the location of the goodpw program. If set to NO then goodpw is not used and the simpler internal checks are applied instead. Under these circumstances the super user is not forced to comply with the password construction requirements; the only checks enabled are for minimum password length, and null passwords are allowed. If GOODPW is set to YES then /usr/bin/goodpw is used to perform password checks. Alternatively GOODPW can be set to the path of some other goodpw-style program.
The values for the default settings may be changed to reflect the system's security concerns.

If /etc/default/passwd does not exist or is not readable, the above default values are used.

If the DESCRIBE or SUMMARY file defined in /etc/default/passwd does not exist or cannot be read, short (and vague) descriptions or summaries are issued instead. In addition, if the user who logged in is a system administrator, an error message describing the problem is printed.

If the selected GOODPW program does not exist or is not executable, the simpler internal checks are performed (see above). In addition, if the user who logged in is a system administrator, an error message describing the problem is printed.


Terminal lines specified in /etc/dialups must specify the complete path; for example, /dev/ttyxx, not just ttyxx.

The -r option is mostly useful during installation to force the newly-installed super user to have a password.


The behavior of this command is affected by assignment of the auth authorization in authorize(F). Users with this authorization can set extra security features. Refer to subsystem(M) for more details.


file Control database

system Defaults database; contains default parameters

list of dialup shells and passwords (one per line):
shell : encrypted-password:
reserved where shell is the pathname
of a login shell as used in /etc/passwd

configurable settings (see ``Default'' above)

list of terminal lines on which remote logging in is permitted

list of groups

list of user accounts

protected Password database entry for user name (where the first character in name is initial)

See also

acceptable_password(S), authcap(F), authsh(ADM), default(F), goodpw(ADM), group(F), login(M), mnt(C), newgrp(C), passlen(S), passwd(F), yppasswd(NC)

Standards conformance

passwd is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003