Shadow password file /etc/shadow explained

The problem with traditional passwd files is that they had to be world readable in order for programs to extract information about the user: such as the users full name. This means that everyone can see the encrypted password in the second field. Anyone can copy any other user’s password field and then try billions of different passwords to see if they match.

The shadow password file is used only for authentication and is not world readable — there is no information in the shadow password file that a common program will ever need — no regular user has permission see the encrypted password field. The fields are colon separated just like the passwd file.

Here is an example line from a /etc/shadow file:


nik – The user’s login name.

Q,Jpl.or6u2e7 – The user’s encrypted password known as the hash of the password.

10795 – Days since the January 1, 1970 that the password was last changed.

0 – Days before which password may not be changed. Usually zero. This field is not often used.

99999 – Days after which password must be changed. This is also rarely used, and will be set to 99999 by default.

7 – Days before password is to expire that user is warned of pending password expiration.

-1 – Days after password expires that account is considered inactive and disabled. -1 is used to indicate infinity — i.e. to mean we are effectively not using this feature.

-1 – Days since January 1, 1970 when account will be disabled.

134537220 – Flag reserved for future use.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s