diff --git a/bin/hardening/99.3.1_acc_shadow_sha512.sh b/bin/hardening/99.3.1_acc_shadow_sha512.sh
index a1ca79c..bbad9fa 100755
--- a/bin/hardening/99.3.1_acc_shadow_sha512.sh
+++ b/bin/hardening/99.3.1_acc_shadow_sha512.sh
@@ -31,6 +31,9 @@ audit () {
         passwd=$(echo "$line" | cut -d ":" -f 2)
         if [[ $passwd = '!' || $passwd = '*' ]]; then
             continue
+        elif [[ $passwd =~ ^!.*$ ]]; then
+            pw_found+="$user "
+            ok "User $user has a disabled password."
         # Check password against $6$<salt>$<encrypted>, see `man 3 crypt`
         elif [[ $passwd =~ ^\$6\$[a-zA-Z0-9./]{2,16}\$[a-zA-Z0-9./]{86}$ ]]; then
             pw_found+="$user "
diff --git a/tests/hardening/99.3.1_acc_shadow_sha512.sh b/tests/hardening/99.3.1_acc_shadow_sha512.sh
index 546d24b..7c4dbf1 100644
--- a/tests/hardening/99.3.1_acc_shadow_sha512.sh
+++ b/tests/hardening/99.3.1_acc_shadow_sha512.sh
@@ -13,6 +13,12 @@ test_audit() {
     register_test contain "User secaudit has a password that is not SHA512 hashed"
     run unsecpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
 
+    sed -i 's/secaudit:mypassword/secaudit:!!/' /etc/shadow
+    describe Fail: Found disabled password
+    register_test retvalshouldbe 0
+    register_test contain "User secaudit has a disabled password"
+    run lockedpasswd /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     mv /tmp/shadow.bak /etc/shadow
     chpasswd << EOF
 secaudit:mypassword