Changing a password in Ubuntu is a two-command operation. But situations vary: changing your own password, changing another user's password, changing the root password, or resetting a password when access is already lost. All scenarios covered here.
The passwd Command: The Foundation
passwd is the standard utility for managing user passwords in Linux. Without arguments it changes the current user's password; with an argument it changes the specified user's password (requires sudo).
Change Your Own Password
Open a terminal and run:
passwd
The system will ask for the current password, then the new password twice. Characters are not displayed during input — this is normal, not a terminal error.
Changing password for user alex.
Current password:
New password:
Retype new password:
passwd: password updated successfully
The current password is requested as protection against the "stepped away and someone changed the password" scenario. Root skips this step.
Change Another User's Password
Only for users with sudo privileges:
sudo passwd username
The user's current password is not requested — sudo has already confirmed the authority. The system immediately asks for the new password twice.
sudo passwd john
New password:
Retype new password:
passwd: password updated successfully
To see a list of all users in the system:
cut -d: -f1 /etc/passwd
Or only those with a shell (real users):
grep -E '/bin/bash|/bin/sh|/bin/zsh' /etc/passwd | cut -d: -f1
Change the Root Password
Two equivalent methods.
Method 1 — via sudo su:
sudo su
passwd
After sudo su, a shell opens as root. The passwd command without arguments changes the current user's password — which is now root.
Method 2 — directly:
sudo passwd root
The result is identical. The second method is shorter and does not require entering the root shell.
Note: on Ubuntu the root account is locked for direct login by default — this is an intentional security decision. Change the root password only if there is a genuine need to log in directly as root. For most administrative tasks, sudo is sufficient.
Password Requirements and Policies
Ubuntu uses PAM (Pluggable Authentication Modules) to validate passwords. By default in Ubuntu 20.04 there are no complexity requirements — the system will accept any password, including a single character.
To enforce a password policy — install libpam-pwquality:
sudo apt install libpam-pwquality
Configure it in /etc/security/pwquality.conf:
sudo nano /etc/security/pwquality.conf
Useful parameters:
# Minimum password length
minlen = 12
# Minimum number of digits
dcredit = -1
# Minimum number of lowercase letters
lcredit = -1
# Minimum number of uppercase letters
ucredit = -1
# Minimum number of special characters
ocredit = -1
# Prevent using part of the username in the password
usercheck = 1
Changes take effect immediately after saving — no service restart required.
Set Password Expiration
On servers it is sometimes necessary for passwords to expire automatically, forcing users to change them.
View current expiration settings:
sudo chage -l username
Set maximum password age (in days):
sudo chage -M 90 username
Set a warning N days before expiration:
sudo chage -W 7 username
Force a user to change their password on next login:
sudo chage -d 0 username
After this command, the system will not let the user proceed on their next login until they set a new password.
Lock and Unlock a User Account
Lock an account (password is not deleted, login becomes impossible):
sudo passwd -l username
Unlock:
sudo passwd -u username
Check status:
sudo passwd -S username
In the output, L means locked, P means active (password set).
Resetting a Password When Access Is Lost
Scenario: password forgotten, login is impossible. On a VPS there is usually console access through the control panel — this is the preferred path. On a physical machine — through recovery mode.
Method 1: Via VPS Console (Control Panel)
Most providers offer a web console or VNC access to the server directly, bypassing SSH. Through it, login is possible even without a password (or with a password from the control panel), and then sudo passwd username can be run.
Method 2: Via Recovery Mode (Physical Machine or KVM VPS)
- Reboot the server and in the GRUB menu select Advanced options for Ubuntu.
- Select the line ending with (recovery mode).
- In the recovery menu select root — Drop to root shell prompt.
- Remount the filesystem in write mode:
mount -o remount,rw /
- Change the password:
passwd username
- Reboot:
reboot
Common Errors
passwd: Authentication token manipulation error The filesystem is mounted read-only. Fix: mount -o remount,rw /
passwd: Permission denied Attempting to change another user's password without sudo. Add sudo before the command.
You must choose a longer password The password policy (pwquality) triggered. The new password does not meet length or complexity requirements.
passwd: password unchanged The new password matches the old one, or failed the pwquality check.
Quick Reference
| Task | Command |
|---|---|
| Change own password | passwd |
| Change another user's password | sudo passwd username |
| Change root password | sudo passwd root |
| Force password change on next login | sudo chage -d 0 username |
| Set 90-day password expiration | sudo chage -M 90 username |
| View password expiration info | sudo chage -l username |
| Lock a user account | sudo passwd -l username |
| Unlock a user account | sudo passwd -u username |
| Check password status | sudo passwd -S username |