The worst kind of password is not a weak password but no password at all. As as system admin, you must ensure that every user account has a strong password. This brief tutorial explains how to find user accounts with empty password in Linux.
Before getting into the topic, let us have a quick recap of shadow file and its purpose.
Table of Contents
What is Shadow Password File?
In RHEL systems, the user passwords are hashed and stored in a secure file called /etc/shadow
. The shadow password file contains the user authentication and password aging details of the user accounts.
The shadow password file is owned by the root
user and is only readable by the super users. You can verify the ownership and permission of the shadow file using the following command:
# ls -l /etc/shadow ---------- 1 root root 618 Apr 7 07:52 /etc/shadow
The typical structure of a sample row from the shadow file is given below.
user1:$6$5ps/XV21$EFmQ463GJZnsdF/:19089:0:99999:7:::
As you may already know, the shadow file has nine fields separated by a colon.
Let us have a quick look at each field.
- Filed 1 (Login name) - This contains the Login name (user1) as appears in the
passwd
file. - Filed 2 (Encrypted password) - This filed contains hashed (encrypted) password of the user. If there is a single exclamation mark (!) at the beginning of this file, it means the user account is locked. If this field is empty, the user doesn't have a password.
- Filed 3 (Last change) - This fields shows the number of days since Unix epoch (i.e. Unix time - January 01, 1970 00:00:00 UTC) when the password was last modified. If this field contains 0, the user is forced to change their password at next login.
- Filed 4 (Minimum) - This field shows the minimum number of days (mindays) that must elapse before the user is allowed to change their password. You can change this filed value with
chage
command with-m
option. - Field 5 (Maximum) - Shows the maximum number of days (maxdays) of password validity before the user password expires. If the filed is 0, it means this feature is disabled. This field's value can be changed with
chage
command with-M
option. - Filed 6 (Warning) - Indicates the number of days (warndays) for which the user gets warnings for changing their password before it expires. You can change this value with
chage
command with-W
option or thepasswd
command with-w
option. - Field 7 (Password Expiry) - Defines the maximum allowable number of days for the user to be able to log in with the expired password. This can be changed using
chage
command with-I
flag orpasswd
command with-i
flag. - Field 8 (Account Expiry) - Defines the number of days since the UNIX time when the user account will expire and no longer be available. You can change this field's value using
chage
command with-E
option. - Field 9 (Reserved) - This field is reserved for future use.
A mentioned above, the encrypted passwords are stored in the second field of each entry in the shadow password file, just after the username.
So, if the second field in the shadow file is empty, then user has no password. Allow me to show you an example to find all passwordless user accounts.
Find All User Accounts with No Password in Linux
To detect all local user accounts that has no password, simply run the following command as root
user:
# awk -F: '$2 == "" { print $1, "has empty password!. Please set a strong password ASAP!!" }' /etc/shadow
Sample Output:
ostechnix has empty password!. Please set a strong password ASAP!!
You can also use getent
command combined with grep
and cut
commands to identify password-less local user accounts in Linux.
# getent shadow | grep -Po '^[^:]*(?=::)'
Or,
# getent shadow | grep '^[^:]*::' | cut -d: -f1
All of the above commands will list only the local user accounts which have empty passwords. If you want to list both the system accounts and the user accounts with empty password, run.
# getent shadow | grep -Po '^[^:]*(?=:.?:)'
Or,
# getent shadow | grep '^[^:]*:.\?:' | cut -d: -f1
Find a Specific Passwordless User Account
The above commands will list all local as well as system accounts that have no password. You can also check the password status of a specific user account using passwd
command with -S
flag.
# passwd -S ostechnix
Sample output:
ostechnix NP 2022-04-07 0 99999 7 -1 (Empty password.)
The passwd
commands will indicate the password status of the given user account. The possible values are:
- LK - The user account is locked.
- NP - The user account has no password.
- PS - The user account has an usable password.
Heads Up: In Debian-based systems, the password status will be denoted as L, N, P respectively.
Set User Password In Linux
You can login as a password-less user, it is perfectly fine. However it is not recommended! You must set a strong password with at least 8 characters including an uppercase, lower case letters, a special character, and a number.
To set password to a user account in Linux, use passwd
command as root
user like below.
As root user:
# passwd ostechnix
Replace ostechnix with your own username.
Now check the password status of the user account using passwd
command:
# passwd -S ostechnix
Sample output:
ostechnix PS 2022-04-07 0 99999 7 -1 (Password set, SHA512 crypt.)
Lock User Accounts In Linux
Sometimes, you just want to lock the user accounts with empty passwords. If so, first find the users with empty passwords as described above and lock them using passwd
command with -l
flag as root
user like below.
# passwd -l ostechnix
Sample output:
Locking password for user ostechnix. passwd: Success
Now, check the status of the user account:
# passwd -S ostechnix
Sample Output:
ostechnix LK 2022-04-07 0 99999 7 -1 (Password locked.)
See? The user has been locked. He can't login to the system anymore.
You can also use the usermod
command with -L
(uppercase L) flag to lock a user.
# usermod -L ostechnix
Unlock User Accounts In Linux
To unlock the password-less users in Linux, use either passwd
command or usermod
command with -p
as root
user.
# passwd ostechnix
Enter the password twice to unlock the password.
Unlocking user's with empty password with usermod
command is not possible, You should set a password with usermod -p
to unlock the user's password.
# usermod -p <password-here> ostechnix
Conclusion
In this tutorial, we explained what is Shadow password file and the purpose of this file in Linux. Then we discussed about various commands to find all user accounts that has no password in Linux. Finally, we learned how to set password to an user and also how to lock and unlock the users in Linux.
2 comments
A simpler way:
“`
$ sudo passwd -Sa | grep 'NP'
“`
Thanks. But it didn’t work for me in AlmaLinux 8.