Introduction
Forgetting a password for a user account or the root user is a common scenario, especially if the system is rarely used or a password manager is temporarily unavailable. In Linux, credentials are never stored in plain text; instead, they are protected by hashing in the /etc/shadow file. You can reset them without reinstalling the OS by leveraging the GRUB bootloader. This method grants direct access to the root console, allowing you to securely change the password while preserving all data and configurations.
Requirements and Preparation
Before you begin, ensure you have physical access to the machine or access to a virtual console (KVM/IPMI). This method requires knowing the username whose password needs to be reset. If you don't remember that either, run cat /etc/passwd after entering the recovery console to view a list of all user accounts.
⚠️ Important: This method works on standard unencrypted partitions. If disk encryption (LUKS) was enabled during OS installation, the bootloader will still prompt for the decryption password. Once entered, you will gain access to edit the GRUB parameters.
Step 1: Intercepting the Boot Process
Reboot the system. Immediately after BIOS/UEFI initialization, start rapidly pressing and holding the Shift key (for BIOS/CSM) or repeatedly tap Esc (for UEFI) until the GRUB menu appears. If the system boots automatically, use Ctrl + Alt + Del or perform a hard shutdown to trigger the menu again.
Step 2: Editing Kernel Parameters
In the GRUB menu, use the arrow keys to highlight the first entry (usually labeled Ubuntu, Debian GNU/Linux, or Linux). Press the e key. This will open the built-in text editor for boot parameters.
Locate the line that begins with linux or linuxefi. It contains the path to the kernel and the root mount parameters. It typically looks like this:
linux /boot/vmlinuz-5.15.0-91-generic root=UUID=a1b2c3d4-... ro quiet splash $vt_handoff
Step 3: Booting into Recovery Mode
In the identified line, replace the ro (read-only) parameter with rw (read-write). Remove quiet splash to display system logs, and append the following to the very end of the line: init=/bin/bash.
The final configuration should look similar to this:
linux /boot/vmlinuz-... root=UUID=... rw init=/bin/bash $vt_handoff
Press Ctrl + X or F10 to continue booting. The system will bypass the standard systemd startup and all background services, immediately dropping you into a root console.
Step 4: Changing the Password
In the terminal that appears, run the command to change the password. Specify the username whose access you need to restore:
passwd ваш_логин
If you specifically need to reset the root password, run:
passwd root
The system will prompt you to enter the new password twice. Characters will not be displayed as you type—this is a standard security measure.
💡 Tip: For RHEL-based distributions like Rocky Linux or AlmaLinux with SELinux enabled, run the
touch /.autorelabelcommand before rebooting. This forces the system to correctly rebuild security contexts on the next startup.
Step 5: Properly Rebooting the System
Do not power off the machine using the hardware button. To safely shut down and return to the standard boot process, run:
exec /sbin/init
# or
reboot -f
After rebooting, log in with the new password. Open a terminal and verify that privileges are working correctly by running sudo -l. If a list of allowed operations is displayed, the recovery was successful.
Troubleshooting
Authentication token manipulation error. This occurs when the filesystem is mounted as read-only despite the rw parameter. Force a remount by running mount -o remount,rw /, then retry the passwd command.
System ignores init=/bin/bash. Some modern UEFI builds or distributions with Secure Boot enabled may block the passing of custom parameters. Try booting via Advanced options → Recovery mode → root Drop to root shell prompt in the GRUB menu.
Password rejected due to PAM policies. Enterprise distributions often enforce the pam_pwquality module, which requires complex passwords. If the system rejects your input, use a combination of uppercase letters, numbers, and special characters, or temporarily comment out the password requisite pam_pwquality.so line in /etc/pam.d/common-password.