Did you know a backdoor malware named Ebury has infected Linux servers for over 14 years? It targets SSH (Secure Shell) connections to maintain persistent access to infected servers. Ebury mainly spreads through theft of SSH credentials.
If you’re using SSH or key-based authentication for Linux, a password manager like LastPass can keep your keys safe. Plus, if you’re managing Linux passwords, a Secure by Design password manager that automatically syncs across devices makes your job easier.
Below, we share our best practices for how to change Linux passwords – and how to keep them safe.
Understanding Linux Passwords
What is Linux and why is it important for password management?
As you know, Linus Torvalds developed the Linux operating system in the 1990s as a free (open source) alternative to Unix.
Today, it’s widely used in smartphones, TVs, servers, refrigerators, desktops, and even Roku devices.
You may be familiar with Linux distributions such as Debian, Red Hat, Ubuntu, and Kali Linux (especially popular with security professionals). A Linux distribution (or distro) combines the Linux kernel with tools, libraries, and apps to make a complete operating system.
For those in the education industry, Escuelas Linux is a free Linux distro aimed at preschool to high school students.
As you’re aware, Linux originally used the crypt function to hash passwords. But as calls for more robust data security grew, Linux adopted MD5 hashing. Traditional MD5 doesn’t include salting, which made it vulnerable to rainbow table attacks.
Today, Linux combines salting with more secure hashing algorithms like SHA-256, SHA-512, or Argon2. Below, we explain how Linux systems can be integrated with password managers and centralized authentication services like Active Directory for robust, streamlined password management.
Different types of Linux passwords and their significance
User, root, and service passwords manage access to resources within a Linux system:
User passwords: If you’re a Linux user, your password allows you to authenticate to a Linux system, access your files, and run approved apps. You won’t have admin privileges, however. All user passwords are generally stored in the /etc/passwd or /etc/shadow files.
Root passwords: If you’re a superuser or system administrator, root status allows you to install software, change system configurations, and modify file permissions.
You know this type of password grants the highest privileges and understand that it’s highly targeted by attackers.
Service passwords: As you know, these passwords are associated with service (rather than human) accounts, such as a service account managing access to a MySQL database. Service accounts present significant security risks as they’re often protected by default passwords.
Once a service account is breached, an attacker can install backdoors to gain persistent access, prevent legitimate users from accessing services, steal intellectual property, exfiltrate data, or install ransomware to hijack the system.
The role of password encryption in Linux
Password encryption plays an important role in Linux security:
- One-way hashing algorithms are used, which means hashed passwords can’t be converted into their plaintext versions.
- If you’re a system administrator, you're familiar with using the mkpasswd command to generate SHA-512 encrypted password hashes or password-based encryption keys to boost the security of a Linux distribution.
- Newer Red Hat Linux and Debian Linux distributions with PAM (Pluggable Authentication Modules) allow ad hoc changes in authentication methods. This means you can set resource limits for all users so they can’t perform DoS (denial-of-service) attacks. PAM also enables logins at specific times and only from specific users in specific locations.
- Individual users can either encrypt their personal files using GPG public key encryption or use a Secure by Design password manager to store their own passwords.
Changing Your Linux Password
Step-by-step guide for Linux users
If you’re a Linux user, changing your password generally involves these steps:
- Open Terminal: Open a terminal window.
- Enter Command: Type in the passwd command and hit Enter.
- Current Password: Type in your current password and hit Enter.
- New Password: Input your new password, hit Enter, and then retype it to confirm.
Best practices for creating a strong and secure Linux password
To create strong, secure passwords, follow the newest NIST and CISA guidelines:
- Prioritize length (ideally 15 characters) as the main factor in password strength.
- Allow up to 64 characters to accommodate the use of passphrases.
- Accept the use of Unicode and ASCII characters.
- Use the OpenSSL command. First, open your Linux terminal. Let’s say you need a 14-character password. You’ll use the syntax openssl rand -base64 14. Then, you’ll hit Enter to execute the command. For a 20-character password, you’ll type in openssl rand –base64 20
- Install pwgen and then type in $ pwgen 14 1 to get a 14-character password.
- Install xkcdpass to generate secure Linux passphrases.
How to ensure password synchronization across multiple Linux devices with LastPass
Need to synchronize your passwords across multiple Linux devices? Here are easy ways to do it with LastPass:
- Install the LastPass browser extension on each Linux device with the Universal Linux Installer for Opera, Chrome, or Firefox. Once installed on each device, you can log into your LastPass account to sync with your vault.
- Use the LastPass Command Line Interface (CLI) tool to manage your credentials from the terminal of your Linux devices. Any changes made through the CLI are reflected across all your devices where LastPass has been installed.
Changing Another User's Password in Linux
Instructions for changing passwords of other user accounts in Linux
If you have root privileges, you can change the passwords of other users or force a reset with these methods:
Using the sudo passwd command to change another user’s password:
- Open a terminal.
- To ensure you have root status, run the command $ sudo su
- Type in your password after the prompt and hit Enter.
- Next, type the command $ passwd username (replace “username” with the actual name of the specific user)
- Enter the new password for the user.
- Type in the new password again and press Enter.
- If successful, you’ll get a message informing you the password has been updated.
Changing to write mode for systems using the GRUB bootloader:
- Reboot the system.
- Bring up the GRUB menu, choose the Linux kernel and hit ‘e’ to edit.
- Find the line beginning with “linux” and add init=/bin/bash at the end.
- Press Ctrl+X to reboot.
- To change passwords, you’ll need to change from read-only to write mode, so you’ll need to run this command: mount –o remount, rw /
- Use the passwd command to change the user’s password.
- Reboot the system by entering the command sync and then reboot -f
Considerations for changing passwords as a root user
If you’re an administrator forced to implement a company-wide password reset after a breach, you may face pushback from already stressed and overwhelmed employees. Two considerations may help ease the process:
- Getting executive buy-in by highlighting the compliance advantages of the reset and its alignment with business goals
- Practising empathy by listening intentionally, welcoming employee feedback, and addressing immediate concerns
Ensuring proper communication and authorization when changing another user's password
Need to implement a company-wide password reset or change another employee’s password?
Be sure to use a multi-channel approach in your communications, such as email, text messages, Slack announcements, or team meetings.
In addition, provide clear instructions on how to reset passwords and specify the deadlines for complying.
You’ll also want to work with HR and IT to ensure full employee participation and an effective incident response plan for any scenarios that arise.
Forcing a Password Reset in Linux
Why and when it is necessary to force a password reset in Linux
It may be necessary to force a password reset in four scenarios:
- Employee Offboarding: A password reset can prevent serious insider threats such as intellectual property theft.
- Security Incidents: When a security breach occurs, an immediate password reset is strongly recommended by NIST.
- Forgotten Passwords: When users lose or misplace their credentials, a password reset helps them recover access to their files.
- New User Onboarding: When new employees are provisioned, a password reset ensures users replace default passwords with their own unique passwords.
Short tutorial on commands for forcing a password reset in Linux
When breaches or security incidents occur, you can use the sudo passwd command to force users to reset their passwords.
Ensure you have root permissions before running the command $ sudo passwd -e username or sudo passwd –e username. Either of these commands will retire a compromised or old password immediately, so the user will be forced to create a new password upon their next login.
For example, you’d like to require Cindy to change her password when she next logs in. To do so, you’ll run the command: sudo passwd –e cindy
As mentioned above, NIST no longer recommends periodic password resets. However, there may be instances that warrant it, such as after a company-wide move to another cloud service. At such a time, you’ll want to define the number of days a current user account password remains valid.
So, let’s say you have a Linux CentOS system. And you want to expire Jen’s password after 30 days. This means Jen won’t have valid login credentials if she doesn’t reset her password within the 30-day window. The syntax you’ll use is:
# chage -M <number of days> <username>
# chage –M 30 Jen
Precautions and best practices to avoid potential issues during a forced password reset
Concerned about a forced reset negatively impacting business operations? Here are our 7 best practices for avoiding issues:
- Enforce strong password guidelines based on NIST industry standards.
- Begin with a test group of users first: successful changes start small.
- Back up critical data before making a system-wide change.
- Inform all employees with timely communications to avoid confusion and unexpected lockouts.
- Consider securing critical accounts such as emergency access accounts with phishing-resistant MFA.
- Download the libpam-pwquality library or use the LastPass generator to configure minimum password length and complexity for Linux users.
- Monitor all business systems before and after the reset to ensure all issues are addressed.
Never Forget Your Password with LastPass
Our military-grade encrypted vaults keep all your Linux passwords, SSH keys, and sensitive data safe. With LastPass, you get secure password generation, storage, and password health monitoring all in one affordable package. Plus, you only need to remember one master password to access your vault.
And if you’re already using a directory service like Active Directory (AD), you can leverage SSSD/Winbind to authenticate Linux users via AD, integrate LastPass with AD, and then use the LastPass CLI to securely access Linux credentials. Finally, our powerful adaptive authentication options offer you another layer of security by allowing you to bypass passwords completely.
To check it out, start your LastPass Premium trial today.
FAQ:
How do I change my password in a Linux terminal?
You can do this by typing in the passwd command and then hitting Enter. When prompted, you’ll type in your current password before pressing Enter.
Next, you’ll input your new password, hit Enter, and then confirm it by typing it in again.
What command do I use to change my Linux password?
You can use the passwd command to change your Linux password.
Can I reset my password in the Linux terminal?
Yes. You can reset your password by using the Root account, running the sudo passwd command, or changing to write mode in the GRUB program.
How do I change user passwords in Linux without root privileges?
Your password is the only one you can change without root privileges.
