In-depth understanding of passwords in linux

In this article we will discuss about the local users password.

Updating password can be done with two methods:

First method is by using passwd command.

Second method is with openssel passwd command.

Using passwd command


Unix or Linux user can set or update password with the command passwd. The old password has to be type twice before entering the new one.

Sample syntax of passwd command :

$ passwd  

If you’ve no password assigned, then the tool will ask you to set up a password. So you’ve an already existing password, then you’ve to first enter the existing password, to update it. If you fail to enter your existing password you won’t be able to update it.

However this rule of typing existing password doesn’t apply for root user. A root user can update its password, without giving the existing one. Also root user can update an users password, without the requirement of existing password.

Sample syntax of passwd command :

$ passwd <userName>  

For example, if we’re logged in as root, and we want to update the ‘student’ user’s password, we need do:

# passwd student  

The tool will ask you for a new password. Entering a new password will be assigned instantly to that user.

The Shadow File

The Shadow file contains the encrypted user passwords and is located in /etc/shadow. The file is read-only and can be read only by root.

To view the contents in it, simply use the cat tool. You must be the root user to access it:

# cat /etc/shadow  

The shadow file contents nine columns separated by colon.

Column Description: Starting from left to right,

  • username: the login name of the user,
  • encrypted password, usually in the format $id$salt$hashed. $id is the algorithm used. $salt is the key to encrypt the password. And $hashed is the result hashed password,
  • last changed: days since Jan 1, 1970,
  • minimum number of days password must be left unchange,
  • maximum number of days password is valid,
  • number of days to warn the user, before the password is about to expire,
  • number of days after password expiry before disabling the account,
  • expiration date in days when account was disable (days from Jan 1, 1970)
  • The last column has no meaning yet.

Encryption With passwd

Unix and Linux passwords are always store in encrypted format. The encryption is done with crypt function. Simplest way to add a user with a password is to add the user with the command useradd -m and then set the user’s password with command passwd.

Sample syntax of :

# useradd -m <userName>  

Like example of :

# useradd -m Tom  

Sample syntax of :

# passwd <typePassword>  

Like example of :

# passwd ****  

See your terminal after run the command, user name Tom is create with a password successfully.

Using openssl passwd

Encryption With openssl

If you create a user with a password -p option is also use, but that requires an encrypted password.

The encrypted password can be generate with openssl passwd command.

The openssl passwd command can generate several distinct hashes for the same pssword. To do this, it uses salt.

It can be chosen and is visible as the first two characters of the hash as show below.

See your terminal after run the command, the first two characters start from the defined sale ’32’.

When you create a user with password using openssl command, following syntax is use.

Sample syntax of :

# useradd -m -p $(openssl passwd hunter2) <userName>  

Like example of :

# useradd -m -p $(openssl passwd hunter2) test2  

See your terminal after run the command, user test2 is create and its password is kept into command history.


The /etc/login.defs file contains some default settings like password aging and length settings.

Sample syntax of :

# grep PASS /etc/login.defs

chage command

The chage command can be use by a user to know the information about their password. The -l option is use to list the information. So use it.

Sample syntax of:

# chage -l <userName>  

Like example of :

# chage -l abc

Disabling A Password

Linux passwords in /etc/shadow are not save starting with exclamation mark (!). When you exclamation mark is present in starting then password can not be use and work.

That feature can be use to disable a password and the process is call locking, disabling and suspending a user account.

This will can be done in vi or with usermod command.

You can disable the password of Tom with usermod command.

Sample syntax of :

# usermod -L <userName>  

Like example of :

# usermod -L Tom  

See your terminal after run the command, first command shows hashed password of Tom, and command “usermod -L Tom” disables the password of Tom.

Now user Tom can’t authenticate using this password.

See your terminal after run the command, hash password is precede with !, which means it is disable.

Now please note that root user and will be able to open the Tom account as password is not need here.

User Tom wouldn’t have set password, and Tom can also login.

You can unlock your account with usermod -U.

Sample syntax of :

# usermod -U <userName>  

Like example of :

# usermod -U Tom 

See your terminal after run the command, hash password of Tom is unlocked now as there is no (!) mark in starting.

Leave a Reply