If /etc/shadow has weak permissions, then passwords in it can be replaced. To create a new password, use: mkpasswd -m sha-512 $PASSWORD