Chage
The first, and probably best, method for forcing a user to reset their password is the chage command. It changes the age of a user’s password, and that can be used to forcibly expire an account. This method works across all logins, including SSH.
You’ll be using chage in conjunction with the -d flag. The -d flag sets the number of days since January 1, 1970 (the beginning of time in computing) that the user’s password has been changed. Setting that value to zero causes the password to immediately expire. The next time the user signs in, they’ll be prompted to change their password. You can make sure that this worked with the -l flag. It lists information about the account.
Passwd
You can also force a user’s password to expire with the usual passwd command. Passwd is used for all sorts of password management tasks, including setting expiration dates and immediately expiring passwords.
After a Set Time
Passwd is often used to force passwords to expire after a set duration, say thirty days. This is accomplished by passing a number of days to the -x flag. You can give the user a heads-up a few days before their password expires with the -w flag. Pass it the number of days you want to warn the user before their password is no longer valid.
Immediately
You can use passwd to immediately expire a user password, too. This will ignore any existing timers, and present the user with a message as soon as they go to log in again. The -e flag will handle this. Whether you’re using chage or passwd, you can control all the passwords on your Linux system with relative ease. It’s generally good practice to set an expiration date for your passwords with passwd for regular operations and security practices. Then, in case of emergency, use chage to cut off an account instantly. If you suspect that a user’s account is the one that’s compromised, consider locking the account instead, as detailed in the passwd guide linked earlier.
