LinuxCommandLibrary

chpasswd

Change passwords in batch for users

TLDR

Change the password for a specific user

$ printf "[username]:[new_password]" | sudo chpasswd
copy

Change the passwords for multiple users (The input text must not contain any spaces.)
$ printf "[username_1]:[new_password_1]\n[username_2]:[new_password_2]" | sudo chpasswd
copy

Change the password for a specific user, and specify it in encrypted form
$ printf "[username]:[new_encrypted_password]" | sudo chpasswd [[-e|--encrypted]]
copy

Change the password for a specific user, and use a specific encryption for the stored password
$ printf "[username]:[new_password]" | sudo chpasswd [[-c|--crypt-method]] [NONE|DES|MD5|SHA256|SHA512]
copy

SYNOPSIS

chpasswd [-c TYPE] [-e] [-R CHROOT] [-s]

PARAMETERS

-c, --crypt-method TYPE
    Encryption type: none, DES, MD5, SHA256, SHA512

-e, --encrypted
    Input passwords are pre-encrypted

-R, --root CHROOT_DIR
    Chroot to directory before processing

-s, --shadow
    Update only /etc/shadow, not /etc/passwd

--help
    Display usage summary and exit

DESCRIPTION

chpasswd is a Linux utility for changing user passwords in batch mode from standard input. It processes lines in the format username:password, updating accounts in /etc/shadow (or /etc/passwd if not using -s). Ideal for scripting bulk password resets during deployments, user provisioning, or automation.

By default, it hashes plaintext passwords using the system's preferred method (often SHA512). The -e option allows pre-encrypted passwords, reducing exposure. Supported algorithms via -c include DES, MD5, SHA256, SHA512, or none.

Requires root privileges. Input via pipe or redirection avoids command-line logging of passwords. Integrates with PAM for policy enforcement (e.g., minimum length). Supports chroot for containerized environments.

Common pitfalls: malformed input skips lines silently; weak passwords rejected by PAM. Use with pwck(8) post-execution to verify integrity. Enhances security over looping passwd(1) by minimizing processes and exposure.

CAVEATS

Requires root. Plaintext input risks exposure in logs/history; pipe securely. PAM enforces policies. Malformed lines ignored silently.

INPUT FORMAT

One line per user:
username:plaintext-password
or with -e: username:$6$salt$hash

EXAMPLE

echo 'user1:newpass' | chpasswd
chpasswd < users.txt
echo 'user2:$6$rounds=5000$salthash' | chpasswd -e

HISTORY

Part of shadow-utils by Julianne Haugh (1992); evolved for shadow password support, modern crypt methods added post-2000.

SEE ALSO

passwd(1), newusers(8), chage(1), pwck(8), shadow(5)

Copied to clipboard