There is no way to list or do a WHOHAS for NOPW.
The best way to find these acids is to run a TSSCFILE (must be run by the MSCA) with TSS LIST(ACIDS) DATA(PASSWORD).
The password field will show two different values:
PASSWORD = *NOPW*
The *NOPW* means the acid does not have a password.
The blank means that the acid has a password.
You can look at record type 3000 for the password field value and look at those acids that have *NOPW*.