How To Change Root Password on Debian 13
Managing a Linux server comes with its fair share of responsibilities. One of the most fundamental — yet often overlooked — tasks is keeping your root account credentials secure and up to date. Whether you just spun up a fresh Debian 13 Trixie installation, inherited a server from a previous administrator, or simply forgot what password you set six months ago, knowing how to change or reset the root password on Debian 13 is a skill every Linux user should have in their toolkit.
This guide walks you through five reliable methods to change the root password on Debian 13, from a simple one-line terminal command to a full GRUB recovery procedure for situations where you’ve lost access entirely. All methods have been verified on Debian 13 Trixie. No matter your experience level — beginner, intermediate, or seasoned sysadmin — you’ll find the right approach here.
Quick tip: If you’ve already forgotten your root password and need emergency access, skip directly to Method 4 (GRUB Recovery).
What Is the Root User in Debian 13?
The root user is Linux’s superuser — the most privileged account on any Debian system. It has unrestricted read and write access to every file, directory, configuration, and system command on the machine. Think of it as the master key to your entire server.
One important detail specific to Debian 13 (and carried over from Debian 12 Bookworm): if you didn’t set a root password during installation, Debian locks the root account by default and grants your initial user account full sudo privileges instead. This design intentionally reduces the attack surface of the system by discouraging direct root logins.
Understanding the difference between two types of admin access matters here:
- Root login: Directly authenticating as the root user via
su -or a direct login prompt - Sudo access: Running privileged commands as your regular user account using
sudo, with a full audit trail logged to/var/log/auth.log
This distinction shapes which recovery method you’ll use, so keep it in mind as you read through each section.
Why You Might Need to Change the Root Password
There’s no single reason someone needs to change the root password on Debian 13. Here are the most common real-world scenarios:
- Forgotten password — By far the most frequent situation, especially after a long period of inactivity
- Server handover — Taking ownership of a VPS or dedicated server where the original admin set the credentials
- Security policy compliance — Many organizations enforce periodic password rotation for all administrative accounts as part of their CIS Benchmark or ISO 27001 requirements
- Post-installation hardening — Activating a root password on a system where the account was locked during install
- Compromised credentials — Suspected or confirmed exposure of the root password in a breach
Regardless of the reason, changing your root password is a straightforward process. Always use a strong password — at minimum 12 characters mixing uppercase, lowercase, numbers, and special characters. Never reuse passwords across servers.
Prerequisites
Before diving in, confirm you have the following:
- Debian 13 (Trixie) installed — desktop or headless server
- Terminal access, SSH connection, or physical console access
- A
sudo-privileged user account (required for Methods 1 and 2) - Physical or KVM/VNC console access for GRUB-based methods (Methods 4 and 5)
Not sure whether your root account is locked or has a password set? Run this quick check:
sudo passwd -S root- Output
root L→ root account is locked (no password set) - Output
root P→ root account has an active password
Method 1: Change Root Password While Logged In as Root
Best for: Users already in an active root session
Difficulty: Beginner | Time: Under 1 minute
This is the simplest approach. If you are already logged in as root — whether in a terminal, TTY, or SSH session — changing the password takes a single command.
Step 1: Open a terminal or connect to your server via SSH as root.
Step 2: Confirm your identity:
whoamiExpected output: root
Step 3: Run the password change command:
passwdStep 4: Enter your new password when prompted. Note that Linux hides the input — nothing will appear on screen as you type. That’s normal.
Step 5: Re-enter the password to confirm it.
Step 6: You should see:
passwd: password updated successfullyThat’s it. Your root password is now updated. If you see a warning like “BAD PASSWORD: The password is too short” or “it is too simple,” Debian 13’s PAM (Pluggable Authentication Modules) quality policy is flagging your choice. As root, you can still override this by typing the password again — but it is strongly recommended to use a stronger password rather than bypassing the check.
Method 2: Change Root Password Using sudo passwd root
Best for: Non-root users with sudo privileges setting or resetting the root password
Difficulty: Beginner | Time: Under 1 minute
This method is the go-to approach on most default Debian 13 installations, where the root account starts locked and your admin user has sudo access.
Step 1: Open a terminal (Ctrl+Alt+T on desktop) or connect via SSH as your regular sudo user.
Step 2: Run:
sudo passwd rootStep 3: You’ll be asked for your sudo user’s password first — this is your own login password, not the root password.
Step 4: Enter the new root password when prompted.
Step 5: Confirm it by entering the same password again.
Step 6: Confirmation message:
passwd: password updated successfullyThis single command both sets the root password and unlocks the root account if it was previously locked. From this point forward, you can use su - to switch into root from any user session.
Method 3: Change Root Password by Switching to Root with su -
Best for: Users who know the current root password and want to change it from a non-root terminal session
Difficulty: Beginner | Time: 1–2 minutes
Step 1: Open a terminal or SSH session as a regular user.
Step 2: Switch to the root user using:
su -The - (dash) flag is important — it loads the full root environment including the correct PATH and home directory. Using plain su without the dash drops you into root without loading root’s environment, which can cause unexpected behavior with certain commands.
Step 3: Enter the current root password when prompted.
Step 4: Verify you’re now in the root shell:
whoamiOutput: root
Step 5: Change the password:
passwdStep 6: Enter and confirm the new password.
Step 7: Once done, exit the root shell safely:
exitImportant: This method requires you to know the existing root password. If you’ve forgotten it, proceed to Method 4.
Method 4: Reset Root Password via GRUB Boot Menu (Forgotten Password)
Best for: Users who have completely forgotten or lost the root password
Difficulty: Intermediate | Time: 5–10 minutes
Requirement: Physical access, KVM, or VNC console access to the machine
This is the most critical recovery method in any Linux administrator’s arsenal. Debian 13 uses GRUB 2 as its bootloader, which allows you to interrupt the normal boot process, pass a custom kernel parameter, and drop directly into a root shell — no password required.
Step 1: Access the GRUB Menu
Reboot your system:
sudo rebootOr physically power-cycle the machine. As soon as the screen goes dark and the system starts posting:
- BIOS systems: Hold the
Shiftkey to force the GRUB menu to appear - UEFI systems: Rapidly press
Escduring the early boot phase
You should see the GRUB countdown screen with Debian boot options listed.
Step 2: Edit the Boot Entry
Use the arrow keys to highlight the first Debian 13 entry. Do not press Enter. Instead, press E to open the entry for editing.
Step 3: Append the Init Parameter
You’ll see a screen of boot configuration text. Locate the line that begins with:
linux /boot/vmlinuz-...Use the End key to jump to the end of that line. Carefully append the following parameter (separated by a space from whatever text came before it):
init=/bin/bashYour edited line should end with something like:
... ro quiet init=/bin/bashStep 4: Boot into the Emergency Shell
Press Ctrl+X or F10 to boot with the modified parameters.
Your system will skip the normal boot process and drop into a minimal root Bash shell. There is no login prompt, no password asked. You have direct root access.
Step 5: Remount the Filesystem as Read-Write
By default, the root filesystem mounts as read-only in this mode. You must remount it with write permissions before you can save any changes:
mount -o remount,rw /Verify the remount was successful:
mount | grep " / "Look for rw in the options column. If you still see ro, the remount did not apply — try the command again before proceeding.
Step 6: Change the Root Password
Now run:
passwdEnter and confirm your new password. You should see passwd: password updated successfully.
Step 7: Reboot the System Cleanly
To ensure filesystem integrity, reboot using systemd’s init:
exec /sbin/initIf that doesn’t respond, use a forced reboot:
reboot -fAfter the system boots normally, log in as root with the new password you just set.
Method 5: Reset Root Password Using a Live CD/USB
Best for: Cases where GRUB is password-protected, inaccessible, or the system won’t boot
Difficulty: Intermediate | Time: 10–15 minutes
Sometimes the GRUB menu itself is locked with a password, or the disk needs to be accessed from outside the installed system. A Linux Live USB solves this cleanly.
Step 1: Boot from a Debian 13 Live ISO or any compatible Linux live environment (Ubuntu Live USB works fine too).
Step 2: Open a terminal in the live environment.
Step 3: Identify your Debian root partition:
lsblkOr for more detail: fdisk -l. Look for a partition formatted as ext4 — usually /dev/sda1 or /dev/nvme0n1p2.
Step 4: Mount the partition:
mount /dev/sdXn /mntReplace /dev/sdXn with your actual partition identifier.
Step 5: Chroot into the mounted Debian system:
chroot /mnt /bin/bashYou are now operating inside your Debian 13 installation as if you booted directly into it.
Step 6: Change the root password:
passwdStep 7: Exit the chroot environment and unmount:
exit
umount /mntStep 8: Reboot into your normal Debian 13 system and log in with the new password.
Note: This method does not work on fully LUKS-encrypted volumes without the disk encryption passphrase. Encryption is a separate layer of protection that cannot be bypassed via Live USB.
Verifying the Root Password Change
After using any of the five methods above, confirm the change actually took effect before you close your session or reboot:
sudo passwd -S rootThe output will look something like:
root P 02/01/2026 0 99999 7 -1Pconfirms an active password is set- The date reflects when the password was last changed
You can also test directly by switching to root:
su -Enter the new password when prompted. If the switch succeeds, you’re good to go.
Root Password Security Best Practices on Debian 13
Changing the password is step one. Keeping your root account secure long-term requires a few additional measures that any serious Linux administrator should implement.
Disable root login via SSH. Direct root SSH access is a prime target for brute-force attacks. Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_configFind the line PermitRootLogin and change it to:
PermitRootLogin noSave and restart SSH:
sudo systemctl restart sshdEnforce password expiration. Use chage to force periodic password changes:
sudo chage -M 90 rootThis sets a 90-day expiration on the root password.
Prefer sudo over direct root access. Every sudo command creates an entry in /var/log/auth.log, giving you a full audit trail of who did what and when. Direct root logins leave no per-user trace.
Monitor failed login attempts. Install fail2ban to automatically block IP addresses after repeated failed SSH authentication attempts:
sudo apt install fail2banUse SSH key-based authentication. Disable password-based SSH logins entirely in favor of cryptographic key pairs — far more resistant to credential attacks than even the strongest password.
Troubleshooting Common Issues
| Error / Symptom | Likely Cause | Fix |
|---|---|---|
passwd: Authentication token manipulation error |
Filesystem still mounted read-only | Re-run mount -o remount,rw / |
su: Authentication failure |
Root account is locked | Run sudo passwd root to set and unlock |
| GRUB menu not appearing | System auto-booting too fast | Hold Shift (BIOS) or press Esc repeatedly (UEFI) |
| Password saved but login still fails | Account still flagged as locked | Run sudo passwd -u root to force-unlock |
init=/bin/bash drops to busybox |
Shell path issue | Try init=/bin/sh as an alternative |
| Encrypted disk (LUKS) blocking recovery | Disk encryption active | Enter LUKS passphrase at the early boot prompt first |
Congratulations! You have successfully changed root password. Thanks for using this tutorial to change root password on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the Ubuntu website.
