The worst kind of password is not a weak password, but no password at all. As a system administrator, you must ensure that each user account has a strong password. This short tutorial explains how to find user accounts with an empty password in Linux.
Before we get into the subject, let’s briefly summarize the shadow file and its purpose.
What is a shadow password file?
In RHEL systems, the user passwords are hashed and stored in a secure file called /etc/shadow† The shadow password file contains the user authentication and password aging details of the user accounts.
The shadow password file is owned by the root user and is only readable by the super users. You can verify ownership and permission of the shadow file with the following command:
# ls -l /etc/shadow ---------- 1 root root 618 Apr 7 07:52 /etc/shadow
The typical structure of an example row of the shadow file is given below.
user1:$6$5ps/XV21$EFmQ463GJZnsdF/:19089:0:99999:7:::
As you may already know, the shadow file has nine fields separated by a colon.
Let’s take a look at each field.
- Archived 1 (Login Name) – This contains the login name (user1) as shown in the
passwdFile. - Filed 2 (encrypted password) – This file contains a hashed (encrypted) password of the user. If there is a single exclamation mark (!) at the beginning of this file, it means that the user account is locked. If this field is empty, the user does not have a password.
- Archived 3 (Last change) – This field shows the number of days since the Unix era (ie Unix time – January 01, 1970 00:00:00 UTC) when the password was last changed. If this field contains 0, the user will be forced to change their password at the next login.
- Archived 4 (minimum) – This field shows the minimum number of days (mindays) that must pass before the user is allowed to change his password. You can change this archived value with
chagecommand with-moption. - Field 5 (maximum) – Shows the maximum number of days (maxdays) of password validity before the user password expires. If the file is 0, it means that this feature is disabled. The value of this field can be changed with
chagecommand with-Moption. - Archived 6 (Warning) – Indicates the number of days (warning days) for which the user will be warned to change their password before it expires. You can change this value with
chagecommand with-Woption or thepasswdcommand with-woption. - Field 7 (Password Expired) – Defines the maximum allowed number of days that the user can log in with the expired password. This can be changed with
chagecommand with-Iflag ofpasswdcommand with-iflag. - Field 8 (account expiration) – Defines the number of days since the UNIX time when the user account expires and is no longer available. You can change the value of this field with
chagecommand with-Eoption. - Field 9 (Reserved) – This field is reserved for future use.
As mentioned above, the encrypted passwords are stored in the second field of each entry in the shadow password file, just after the username.
So if the second field in the shadow file is empty, the user has no password. Allow me to show you an example to find all passwordless user accounts.
Find all user accounts without password in Linux
To detect all local user accounts without password, just run the following command as: root user:
# awk -F: '$2 == "" { print $1, "has empty password!. Please set a strong password ASAP!!" }' /etc/shadow
Sample output:
ostechnix has empty password!. Please set a strong password ASAP!!
You can also use getent command combined with grep and cut commands to identify passwordless local user accounts in Linux.
# getent shadow | grep -Po '^[^:]*(?=::)'
Or,
# getent shadow | grep '^[^:]*::' | cut -d: -f1
All the above commands will only list the local user accounts that have empty passwords. To display both the system accounts and the user accounts with an empty password, run .
# getent shadow | grep -Po '^[^:]*(?=:.?:)'
Or,
# getent shadow | grep '^[^:]*:.?:' | cut -d: -f1
Find a specific passwordless user account
The above commands list all local and system accounts without password. You can also check the password status of a specific user account with passwd command with -S flag.
# passwd -S ostechnix
Sample output:
ostechnix NP 2022-04-07 0 99999 7 -1 (Empty password.)
The passwd commands indicate the password status of the specified user account. The possible values are:
- LK – The user account is locked.
- NP – The user account has no password.
- PS – The user account has a usable password.
Setting User Password in Linux
You can login with a user without a password, but this is not recommended! You must set a strong password with at least 8 characters, including uppercase, lowercase, a special character, and a number.
To set the password for a user account in Linux, use passwd command if root user as below.
As root user:
# passwd ostechnix
Replace ostechnix with your own username.
Now check the password status of the user account with passwd assignment:
# passwd -S ostechnix
Sample output:
ostechnix PS 2022-04-07 0 99999 7 -1 (Password set, SHA512 crypt.)
Locking User Accounts in Linux
Sometimes you just want to lock the user accounts with blank passwords. If yes, first find the users with empty passwords as described above and lock them with passwd command with -l mark as root user as below.
# passwd -l ostechnix
Sample output:
Locking password for user ostechnix. passwd: Success
Now check the user account status:
# passwd -S ostechnix
Sample output:
ostechnix LK 2022-04-07 0 99999 7 -1 (Password locked.)
See? The user is locked. He can no longer log into the system.
You can also use the usermod command with -L (capital L) flag to lock a user.
# usermod -L ostechnix
Unlock User Accounts in Linux
Use either to unlock the passwordless users in Linux: passwd command or usermod command with -p if root user.
# passwd ostechnix
Enter the password twice to unlock the password.
Unlocking users with an empty password is not possible, you must set a password with: usermod -p to unlock this user’s password.
# usermod -p <password-here> ostechnix
Conclusion
In this tutorial, we explained what the Shadow password file is and the purpose of this file in Linux. Next, we talked about different commands to find all user accounts that don’t have password in Linux. Finally, we learned how to set a password for a user and also how to lock and unlock the users in Linux.