Securely change user password using shell script to automate this task on these rare occasions.

Encrypt user password

Encrypt password using SHA256 algorithm with random salt.

$ printf "mypassword1" | mkpasswd --stdin --method=sha-256

Encrypt password using SHA512 algorithm with defined salt.

$ printf "mypassword2" | mkpasswd --stdin --method=sha-512 --salt "KdN5Re3X2X18"

The available encryption algorithms are DES, MD5, and SHA256 or SHA512.

You do not need to specify particular encryption algorithm as it will use PAM to encrypt password.

$ cat /etc/pam.d/common-password
# /etc/pam.d/common-password - password-related modules common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.  The default is pam_unix.

# Explanation of pam_unix options:
# The "sha512" option enables salted SHA512 passwords.  Without this option,
# the default is Unix crypt.  Prior releases used the option "md5".
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
# See the pam_unix manpage for other options.

# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
password	[success=1 default=ignore] obscure sha256
# here's the fallback if no module succeeds
password	requisite
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password	required
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

As you can see, SHA512 algorithm will be used by default.

Change user password

Change password for particular user.

Use single quotes to preserve the literal value of each character within the quotes.

$ printf 'milosz:$5$TE9qUgZsrPH2B$Z6leshvNS1M2POmcyNec5liVfY17efGUUEHS0CdyPh6' | sudo chpasswd --encrypted

Change passwords for multiple users using here document.

Use single quotes to disable parameter substitution.

$ sudo chpasswd --encrypted << 'EOF'

Change passwords for multiple users using simple password file.

$ cat users.txt
$ cat users.txt | sudo chpasswd --encrypted