One of my e-mail servers uses unix system accounts for user login.
Because I didn't set up any complex password policies (our users, including management staff, don't like complicated passwords), one of the accounts, that had a dictionary 6 letter pasword, was hacked and a few thousand spams were sent. So, naturally, our IP ended up in 3 RBLs.
After talking with the management, we decided that it was time to increase password complexity requirements. (minimum 8 characters, upper case, lower case, numbers, etc)
Now, here is the problem. How to make sure that all our users really change the password without having to check the logs, chage command output, etc?
The best solution I could think of, was to set a 10 day password expiration for all users and then send a mass email to everyone, telling them that if they don't change their password, after 10 days they won't be able to login.
So I started doing tests, to see if this was a viable solution and I encountered a problem that I should have foreseen:
Even though I set the password expiration to 10 days (chage -M 10 user), after changing the password, the expiration date remained the same, instead of returning to "never".
Is there some way of turning off password expiration after the user has changed it's password? (Users can change their password via the webmail interface, using a script based on chpasswd command).
Best Answer
I would try to combine
chage
-M
and-d
options.-M
-d
So given these options, decide how often you want your passwords to expire. Obviously you don't want them to expire every 10 days, so
-M
option should be set to a higher value.To make your users change their passwords in next 10 days, set the
-d
(LAST_DAY) option to the value so thatLAST_DAY + MAX_DAYS == TODAY + 10 DAYS
.This trick will allow you to make the password expiration date approach faster. Once the password is changed, next expiration date will be set based on the value specified with the
-M
option.