How to test if an account has a password set?

Sometimes you might want to check if an account on the system has a password set. One of the reasons is to disable those, so you can enforce that only SSH authentication might be used, for example.

There are a few ways to see if a password is set.

Using the passwd command

The first command that comes to mind is using the passwd command. Normally you would use that to change your password, but it can actually also reveal useful details about existing accounts. Using the -S option we can request such details.

passwd -S michael

The output might look something like this.

michael P 01/13/2024 0 99999 7 -1

So what does this single line output mean?

PP indicates an usuable password is set, L means it is locked
01/13/2024Last password change
0Minimum age (in days)
99999Maximum age (in days)
7Warning period (in days)
-1Inactivity period for the password

So on the account above you can see the password was set in Janary 2024 and it has an usuable password.

Using getent shadow

Linux uses different types of databases to store information, including those related to name resolution and authentication. One way is to look in the related files /etc/passwd or /etc/shadow. An easier way is to query the related shadow database directly using the getent command.

# getent shadow michael

# getent shadow www-data

In this output we clearly see that the first account has a long string characters in the second field, while the second one has not. This long string of characters is the stored password.

$6Refers to the SHA512 cryptographic hash function
xyzsalt for the hashing function
VKis…5y.Password in hashed format

Using chage

The chage command is great to determine the password policy by using the -l option. Unfortunately, it not as trustworthy to find out if a password has been set. Let’s have a look at the following output.

chage -l www-data
Last password change					: Aug 10, 2023
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

This would indicate that a password is set, as it has been changed, right? When we look at the passwd -S output, we see that is is locked though.

passwd -S www-data
www-data L 08/10/2023 0 99999 7 -1

So this account has no password set, even though the field Last password change would give the impression is has.

Found another method to see if an account has a password, or got a suggestion? Love to hear!

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

  • chage
  • getent
  • passwd


Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon