# auto expire user password



## andrian (Sep 26, 2019)

Hi. Please tell me how I can implement the automatic expire of the user's password on the FreeBSD system. For example, the user has to change the password every 90 days.
I need to write a script or such functionality is present in the system?


----------



## T-Daemon (Sep 26, 2019)

Have a look at "How to set Password Change Time in FreeBSD"

You might be also interested in `warnpassword=` in /etc/login.conf. login.conf(5)


----------



## xtaz (Sep 26, 2019)

Note that this will usually make the password less secure and isn't generally recommended these days. It just encourages users to make their passwords things like password1, password2, password3 etc. Better to have a long passphrase like correcthorsebatterystaple and not force it to be changed all the time. https://www.xkcd.com/936/


----------



## SirDice (Sep 26, 2019)

xtaz said:


> Note that this will usually make the password less secure and isn't generally recommended these days.


While I certainly agree with this it's usually set in some security policy and you just have to follow that. 



xtaz said:


> It just encourages users to make their passwords things like password1, password2, password3 etc.


You can prevent this from happening by using pam_passwdqc(8):

```
similar=permit|deny
             (similar=deny) Whether a new password is allowed to be similar to
             the old one.  The passwords are considered to be similar when
             there is a sufficiently long common substring and the new
             password with the substring removed would be weak.
```
There are still ways to make similarly looking passwords but at least it will prevent some of the obvious ones.


----------



## T-Daemon (Sep 26, 2019)

SirDice said:


> You can prevent this from happening by using pam_passwdqc(8):
> 
> ```
> similar=permit|deny
> ...


Looking where to set that option I was made aware by pam.conf(5) of /etc/pam.d/service-name, in this case of interest  service-name /etc/pam.d/passwd.

How should options beloning to pam_passwdqc(8) be set? By commenting out the line `#passwd   requisite pam_passwdqc.so ...` and add the options there besides module `pam_unix.so`, or comment `pam_unix.so`, having `pam_passwdqc.so` module alone? And how should the control-flag be set, `requisite` or `required`?


----------



## anbj (Feb 23, 2021)

andrian,

This is a late answer, but I want to resurrect this thread in case you're still having trouble or if anyone else is having the same problem. I've struggled with the same, and my findings are:

* choose the appropriate `:passwordtime:`, in your case, `:passwordtime=90d:` and add it to the wanted class in `/etc/login.conf.`
* run `doas cap_mkdb /etc/login.conf`

Now, in order for the expiry to get going, you first have to manually change the password; this may be done with `passwd`, `chpass`, `pw` or `vipw`.

An expiry will not be set automatically for any user added after adding `:passwordtime:` to `/etc/login.conf`. You still need to change the password before (perodic) expiry is enabled.

A bug or feature? I dont know. To me it's a bug.


----------

