How to test if an account has a password set?

Sometimes you might want to check if an account on the system has a password set. One of the reasons is to disable those, so you can enforce that only SSH authentication might be used, for example.

There are a few ways to see if a password is set.

Using the passwd command

The first command that comes to mind is using the passwd command. Normally you would use that to change your password, but it can actually also reveal useful details about existing accounts. Using the -S option we can request such details.

passwd -S michael

The output might look something like this.

michael P 01/13/2024 0 99999 7 -1

So what does this single line output mean?

FieldExplanation
michaelUsername
PP indicates an usuable password is set, L means it is locked
01/13/2024Last password change
0Minimum age (in days)
99999Maximum age (in days)
7Warning period (in days)
-1Inactivity period for the password

So on the account above you can see the password was set in Janary 2024 and it has an usuable password.

Using getent shadow

Linux uses different types of databases to store information, including those related to name resolution and authentication. One way is to look in the related files /etc/passwd or /etc/shadow. An easier way is to query the related shadow database directly using the getent command.

# getent shadow michael
michael:$6$xyz$VKswtvLoVpOLcpjDMIFXhxa8ukqqKSKHjcPBLZUk9NxWldmlFQY4stUGo.QjEhav7mp86ih2PRqYPqjkhWi5y.:19735:0:99999:7:::

# getent shadow www-data
www-data:*:19579:0:99999:7:::

In this output we clearly see that the first account has a long string characters in the second field, while the second one has not. This long string of characters is the stored password.

FieldExplanation
$6Refers to the SHA512 cryptographic hash function
xyzsalt for the hashing function
VKis…5y.Password in hashed format

Using chage

The chage command is great to determine the password policy by using the -l option. Unfortunately, it not as trustworthy to find out if a password has been set. Let’s have a look at the following output.

chage -l www-data
Last password change					: Aug 10, 2023
Password expires					: never
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 0
Maximum number of days between password change		: 99999
Number of days of warning before password expires	: 7

This would indicate that a password is set, as it has been changed, right? When we look at the passwd -S output, we see that is is locked though.

passwd -S www-data
www-data L 08/10/2023 0 99999 7 -1

So this account has no password set, even though the field Last password change would give the impression is has.

Found another method to see if an account has a password, or got a suggestion? Love to hear!

Authentication

Want to secure your users, passwords, PAM, or the SSH configuration? Perform a scan with Lynis, including a configuration audit of the available authentication methods.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page
Screenshot of Lynis security tool