[TUHS] Questions about * and ! in the password field of passwd and shadow

Marc Haber via TUHS tuhs at tuhs.org
Thu Jan 8 05:34:39 AEST 2026 

Hi,

pardon me for jumping into this mailinglist that is so full of famous 
and knowledgeable people. I am the maintainer of adduser in Debian and 
am trying to make as much sense as possible in modern Unixoid systems.

I am wondering about the difference between ! and * in the password 
field of /etc/shadow and before its invention in /etc/passwd. I think 
that until some ten years ago, there was still a difference between 
both, with one of the versions preventing login via password (but 
keeping it possible to use, for example, an ssh key to log in) and the 
other also making it impossible to use an ssh key to log in. I think 
that one also prevented su'ing to that account.

This has been given up at least in GNU/Linux system a while ago with ! 
and * being kind of synonymous. It is common to put ! in front of a 
password hash to temporary lock an account while being able to restore 
the old password when the account is being unlocked.

In Debian, the accounts that we deliver in a basic installation have "*" 
for a password, while useradd (from the shadow suite by Julianne Frances 
Haugh and Serge Hallyn, nowadays maintained on github) puts a ! in the 
password field when one does not set a password for a newly created 
account.

Reading historic documents suggestst that ! used to be a notion for 
"temporarily locked" while * is the notation for "this account never had 
a password since it was created".

The mixture of * and ! in the /etc/shadow field in Debian systems is 
kind of bothering my inner Adrian Monk, and I would like to either 
suggest that we (Debian) change to ! for the accounts in our default 
/etc/passwd or pester src:shadow to use * for newly created accounts.

That being said, I'd like to solicit your opinion and historical 
knowledge about what ! and * in password fields were really meant to say 
in the beginning.

Thank you very much. It is an honor to be allowed on thie Maiing List.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

More information about the TUHS mailing list