[TUHS] Questions about * and ! in the password field of passwd and shadow

[segaloco via TUHS]

On Wednesday, January 7th, 2026 at 11:40, Ron Natalie via TUHS <tuhs at tuhs.org> wrote:

> Back when the (encrypted) passwords were in /etc/password, a * was a
> common way to make accounts that could not be logged into. This goes
> back forwever (putting a blank password field in just meant there was no
> password required to log in). This predated /etc/shaddow and even the
> inclusion of the “salt” characters at the beginning of the passwords.
> The ! to disable wasn’t something I saw. It must have come later (but
> before people started using programs to manipulate these things).

The passwd(5) (or 4 for USG stream) manpage should give some pointers.
As of the initial System V release (pre shadow), the only defined
behaviors of this field are either an encrypted (via crypt(3)) string
or an empty (null) string for no password.  Additionally, a password can
be followed by a comma and then aging information.  I don't see any
explicit handling of * or !.  Presumably using * just means that the
expected output of crypt(3) is *, an unlikely if not impossible
scenario, leading to the behavior of no login available.

I'll have to check the passwd(4) page in my SVR4 manuals at home.  In
any case, that's where I'd suggest looking.  If it's not in the manuals,
it may qualify as unintended behavior or something like that, meaning
even if there is any handling for these characters specially (which I
couldn't find in login(1), su(1), or any of the libc passwd stuff), that
handling was never publicized.

- Matt G.