diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index cca87d8b4a5..12d9be94663 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -6,6 +6,16 @@ let
   ids = config.ids;
   cfg = config.users;
 
+  # Check whether a password hash will allow login.
+  allowsLogin = hash:
+    hash == "" # login without password
+    || !(lib.elem hash
+      [ null   # password login disabled
+        "!"    # password login disabled
+        "!!"   # a variant of "!"
+        "*"    # password unset
+      ]);
+
   passwordDescription = ''
     The options <option>hashedPassword</option>,
     <option>password</option> and <option>passwordFile</option>
@@ -596,7 +606,7 @@ in {
              || cfg.group == "wheel"
              || elem "wheel" cfg.extraGroups)
             &&
-            (cfg.hashedPassword != null
+            (allowsLogin cfg.hashedPassword
              || cfg.password != null
              || cfg.passwordFile != null
              || cfg.openssh.authorizedKeys.keys != []
@@ -639,15 +649,13 @@ in {
           content = "${base64}${sep}${base64}";
           mcf = "^${sep}${scheme}${sep}${content}$";
         in
-        if (user.hashedPassword != null   # login disabled
+        if (allowsLogin user.hashedPassword
             && user.hashedPassword != ""  # login without password
             && builtins.match mcf user.hashedPassword == null)
-        then
-        ''
+        then ''
           The password hash of user "${name}" may be invalid. You must set a
           valid hash or the user will be locked out of their account. Please
-          check the value of option `users.users."${name}".hashedPassword`.
-        ''
+          check the value of option `users.users."${name}".hashedPassword`.''
         else null
       ));