Steven M. Bellovin writes:
>I have similar complaints.  How about "nopw" being the magic string 
>you're looking for?  Better yet, "*nopw", with "*" meaning "/etc/security
>should ignore this; the remaining characters may be significant to 
>something else".  That way, we can "*files-only" for an ownership id, 
>"*ssh-only", "*anon-ftp", etc.

Solaris uses :NP: for no passwd.  But I like the idea of *somthing.
I've been using the following at the start of the passwd field 
for quite some time - ie. various audit scripts frob the passwd file:

*IDLE*	the account was locked due to inactivity.
*LOCKED* the account is valid but the user has been locked out for
	some reason - eg. known to be on leave for 2 months.
*WEAK*	the account was locked because the passwd was guessed by crack.
	Users only have to ring up to get their account unlocked a couple
	of times to get the hint.

On some systems, were locking users out for weak passwds isn't accepted 
(I don't always get to make the rules ;-), a post processing step the
*WEAK* accounts are re-activated but the passwd set to expire on next 
login. 

Note that each of the above is prepended to the encrypted passwd - so 
that the passwd can be reinstated by simply removing the *FOO*
For accounts which should never have a valid passwd I like the idea
of *files-only etc.

--sjg