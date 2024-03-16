Ensuring that users change their passwords from time to time is a practice that many system admins follow as part of their security plans. It’s an important step in cyber-defense because it lessens the likelihood that passwords will be compromised. At the same time, requiring overly frequent changes might have unintended side effects; users can be tempted to write down their passwords, or make them so much easier to remember that it becomes easier for someone else to guess what they might be.

Fortunately, Linux systems have a way to enforce some timing rules on how frequently passwords must be changed. The /etc/login.defs file allows you to set the parameters that control how long a password can be active before it expires (PASS_MAX_DAYS). It also allows you to set the minimum number of days that a password must remain active (PASS_MIN_DAYS). This second of these parameters ensures that a user can’t change his/her password and then reset it to the former password – basically amounting to no change.