When it comes to Linux server security, small oversights can turn into big vulnerabilities. One of the most overlooked risks is leaving unnecessary passwords on user accounts — especially the root account. In this guide, we’ll show you how to remove user passwords, lock accounts, and explain why these steps are essential for securing your system.
🛠️ How to Delete a User’s Password
In most Linux distributions, including Amazon Linux 2, you can delete a user’s password with the passwd command. For example, to remove the root password:
sudo passwd -d rootAnd to remove the password for the ec2-user account:
sudo passwd -d ec2-userWhat this does:
- Deletes the password hash from
/etc/shadow. - Prevents password-based login for that account (until a new password is set).
- Helps ensure the account is only accessible via SSH keys or sudo privileges.
🔒 Locking the Account for Extra Security
Deleting a password is a good start — but locking the account adds another layer of protection. Even if password authentication is accidentally enabled in your SSH configuration, a locked account won’t accept a password login.
To lock a user account:
sudo passwd -l root
sudo passwd -l ec2-userYou can unlock it again if needed:
sudo passwd -u root🔐 Why This Matters
Locking accounts and removing passwords isn’t just good housekeeping — it’s critical security:
- Stops brute-force attacks – Password-based logins are the most common way attackers try to break in. No password means nothing to guess.
- Prevents misconfigurations from becoming vulnerabilities – Even if someone enables password authentication in SSH, a locked account remains protected.
- Keeps root safer – The root account is the most targeted user on any Linux system. Deleting its password reduces your attack surface dramatically.
- Complies with best practices – Cloud platforms like AWS recommend disabling password login entirely in favor of SSH key authentication.
✅ Final Security Checklist
Before you finish hardening your server:
- Remove all unnecessary passwords with
passwd -d username - Lock critical accounts with
passwd -l username - Ensure
/etc/ssh/sshd_confighasPasswordAuthentication no - Use SSH key pairs instead of passwords for remote access
By taking these simple steps, you’ll significantly reduce the risk of unauthorized access to your server — and sleep a lot better at night.
🏁 Final Thoughts
Securing your Linux server doesn’t always require complicated tools. Sometimes, the most effective changes are also the simplest. Deleting unused passwords and locking user accounts is a quick win that can protect your infrastructure from common attack vectors and accidental misconfigurations.
