Right, let’s talk about the passwd command. You probably think it’s just for changing your password. And you’d be mostly right. But it’s also the Swiss Army knife for poking at your own user account, and if you’re the all-powerful root user, it’s the master key for poking at everyone else’s account. It’s deceptively simple, which is why its nuances often bite people in the rear.

The most basic incantation is the one you know. You type passwd, it asks for your current password (a sanity check to make sure a passerby hasn’t hijacked your session), then prompts you for a new one twice to avoid typos. It then hashes that password using a modern, secure algorithm (like yescrypt on modern systems) and slaps that hash into the /etc/shadow file. Simple.

$ passwd
Changing password for jane.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

The Root of All Power

Here’s where the magic (and the responsibility) begins. The root user doesn’t need to know your current password to change it. This is the first line of defense for sysadmins helping users who are locked out, or for resetting a service account’s credentials. The syntax is just passwd <username>.

# sudo passwd jane
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

See? No current password prompt. This is incredibly powerful. It also means that if you ever see a prompt asking for your current password when you’re sudo-ing, something is deeply wrong, or you’ve been the victim of a very clumsy phishing attempt.

Locking and Unlocking: The -l and -u Flags

This is arguably more important than password changes in many scenarios. You don’t always want to delete a user; you just want to prevent them from logging in. Maybe it’s a disgruntled employee, a compromised account, or the www-data user you want to keep around for file ownership but never actually log in as. This is where account locking comes in.

Locking an account with passwd -l (that’s a lower-case L for “lock”) does something brilliantly simple and effective: it prepends an exclamation mark (!) to the user’s password hash in /etc/shadow.

# sudo passwd -l jane
passwd: password expiry information changed.

Now, let’s peek at the aftermath in the shadow file:

jane:!$y$j9T$F4F1Ry79G8Sq1...

That exclamation mark at the beginning? It completely invalidates the hash. No matter what password Jane types, the system will try to compare it to !$y$j9T..., which will never match. It’s a fantastically simple and portable way to lock an account without changing the underlying hash. If you unlock it later with passwd -u, it just removes the !, restoring the previous password. No need to set a new one.

Crucial Pitfall: This is not the same as an expired password or a password set to *. The usermod command can also lock an account by setting the hash to ! or *, but passwd -l’s method is the standard. Know that some legacy systems or automated tools might check for a hash literally equal to * instead of just a prefix, so consistency is key.

The Nuclear Option: –stdin and Automation

Sometimes you need to set a password from a script, without human interaction. This is dangerous territory, because you absolutely must avoid putting the plain text password in your command history or shell scripts. The --stdin flag exists for this. It lets you pipe a password directly into passwd.

# echo "SomeSuperSecretPassword123" | sudo passwd --stdin jane
passwd: password updated successfully

WARNING: Use this with extreme caution. The password is in the command, visible in plain text to anyone who can run ps at that moment, and will likely be stored in your shell history. This flag is a necessary evil for automation, but it should be used with the gravity of a live wire. Always consider if SSH key-based authentication is a better fit first. If you must use it, ensure your scripts have strict permissions and never log the sensitive part.

Why Not Just Edit /etc/shadow Directly?

You might be thinking, “This seems overcomplicated. Why not just vim /etc/shadow myself?” Don’t. Just don’t. The passwd command isn’t just a fancy editor; it’s a management tool. It handles the file locking (/etc/shadow.lock) to prevent corruption if multiple processes try to write at once. It validates your input. It handles the transition between different password hashing algorithms seamlessly. It updates any necessary Pluggable Authentication Module (PAM) caches. Manually editing the shadow file is like performing brain surgery with a rock. You might get it right once, but the mess you’ll eventually make isn’t worth it. Let the dedicated tool do its job.