Srinath's Blog

Search

SearchSearch

what_happens_after_password_locking

Nov 28, 20242 min read

Locking a password in Linux disables the ability to log in to an account using a password, effectively preventing authentication via password while leaving the account itself intact. This is useful for various administrative and security purposes.

How Password Locking Works

When a password is locked, the system modifies the /etc/shadow file by prepending a ! or * to the hashed password field for that user. For example:

  • Before locking: 
    merry:$6$encryptedpassword:19340:0:99999:7:::
  • After locking: 
    merry:!$6$encryptedpassword:19340:0:99999:7:::

The ! or * prevents the password hash from being used during authentication.

if you have 2 ’!’ then that means password has been never set

Uses of Locking a Password

  1. Temporarily Disable Login for a User

    • If a user account is not currently needed but may be re-enabled later, locking the password prevents access without deleting the account.
    • Example: 
      sudo passwd -l username

  2. Secure a Compromised Account

    • If there’s a suspicion that an account has been compromised, locking the password can stop unauthorized access until the issue is resolved.

  3. For System or Service Accounts

    • Some system accounts (e.g., nobody, daemon) do not require direct login access. Their passwords are locked to ensure they can’t be used for interactive logins.
    • Locked accounts can still perform their intended functions (e.g., running services).

  4. Prevent Login for Users with Alternative Access

    • If a user accesses the system via SSH keys, SSO, or other non-password mechanisms, locking the password ensures no one can log in with a forgotten or weak password.

What Happens When a Password Is Locked?

  • Login with Password Fails: The user cannot log in with a password but may still log in using other methods (e.g., SSH keys).
  • Existing Sessions Are Unaffected: Any active sessions for the user remain active until they log out.
  • Account Itself Remains Intact: Files, permissions, and non-password-based access methods are not affected.

Unlocking a Password

To re-enable password-based authentication for a locked account:

sudo passwd -u username

Practical Example

Lock a password for the user merry:

sudo passwd -l merry

Check the status of the account:

sudo passwd -S merry

Output:

merry L 12/08/2024 0 99999 7 -1 (Password locked.)

To unlock:

sudo passwd -u merry

Graph View

Backlinks