View Password Change Logs in Linux

Logs are a valuable asset when troubleshooting servers and checking for root password changes. Password changes are logged in the following files:

For Ubuntu®/Debian® systems:

/var/log/auth.log

For CentOS®/RHEL® systems:

/var/log/secure

To check for root password changes, look for lines that mention either of the following messages:

password changed for root
Password for root was changed