How to test if an account has a password set?
Sometimes you might want to check if an account on the system has a password set. One of the reasons is to disable those, so you can enforce that only SSH authentication might be used, for example.
There are a few ways to see if a password is set.
Using the passwd command
The first command that comes to mind is using the passwd command. Normally you would use that to change your password, but it can actually also reveal useful details about existing accounts. Using the -S option we can request such details.
passwd -S michael
The output might look something like this.
michael P 01/13/2024 0 99999 7 -1
So what does this single line output mean?
| Field | Explanation |
|---|---|
| michael | Username |
| P | P indicates an usuable password is set, L means it is locked |
| 01/13/2024 | Last password change |
| 0 | Minimum age (in days) |
| 99999 | Maximum age (in days) |
| 7 | Warning period (in days) |
| -1 | Inactivity period for the password |
So on the account above you can see the password was set in Janary 2024 and it has an usuable password.
Using getent shadow
Linux uses different types of databases to store information, including those related to name resolution and authentication. One way is to look in the related files /etc/passwd or /etc/shadow. An easier way is to query the related shadow database directly using the getent command.
# getent shadow michael
michael:$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.:19735:0:99999:7:::
# getent shadow www-data
www-data:*:19579:0:99999:7:::
In this output we clearly see that the first account has a long string characters in the second field, while the second one has not. This long string of characters is the stored password.
| Field | Explanation |
|---|---|
| $6 | Refers to the SHA512 cryptographic hash function |
| xyz | salt for the hashing function |
| VKis…5y. | Password in hashed format |
Using chage
The chage command is great to determine the password policy by using the -l option. Unfortunately, it not as trustworthy to find out if a password has been set. Let’s have a look at the following output.
chage -l www-data
Last password change : Aug 10, 2023
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
This would indicate that a password is set, as it has been changed, right? When we look at the passwd -S output, we see that is is locked though.
passwd -S www-data
www-data L 08/10/2023 0 99999 7 -1
So this account has no password set, even though the field Last password change would give the impression is has.
Found another method to see if an account has a password, or got a suggestion? Love to hear!
