View Password Change Logs in Linux

Logs are a valuable asset when troubleshooting servers and checking for root password changes. Password changes are logged in the following files:

For Ubuntu®/Debian® systems:


For CentOS®/RHEL® systems:


To check for root password changes, look for lines that mention either of the following messages:

password changed for root
Password for root was changed