The difference between exclamation mark and asterisk in /etc/shadow

So, with a terrible case of memory lapsus while wanting to disable password login for a user I couldn’t remember what the difference between “!” and “*” is in the /etc/shadow file.

Well man 5 shadow to the rescue

Refer to **crypt**(3) for details on how this string is interpreted.

If the password field contains some string that is not a valid result of **crypt**(3), for instance ! or *, the user will not be able to use a unix password to log in (but the user may log in the system by other means).

This field may be empty, in which case no passwords are required to authenticate as the specified login name. However, some applications which read the /etc/shadow file may decide not to permit any access at all if the password field is empty.

A password field which starts with a exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.

This means that both won’t allow password login the account but ! (exclamation mark) means that the account is locked and can be followed by the password the account had before it was locked. When unlocked the ! is removed and the old password could be kept.

Now we both know 🙂