What Is /etc/shadow
Content on WhatAnswers is provided "as is" for informational purposes. While we strive for accuracy, we make no guarantees. Content is AI-assisted and should not be used as professional advice.
Last updated: April 11, 2026
Key Facts
- /etc/shadow was introduced in 1989 with the shadow password suite to enhance Unix security by separating password hashes from the world-readable /etc/passwd file
- Each /etc/shadow entry contains exactly 9 colon-separated fields: username, encrypted password, last change date, minimum age, maximum age, warning period, inactivity period, expiration date, and reserved field
- The file is typically readable only by root (permission mode 640 or 600), preventing unprivileged users from accessing password hashes used in cracking attempts
- Password hashes in /etc/shadow use cryptographic algorithms like SHA-512, bcrypt, or scrypt rather than plaintext, with prefixes ($6$, $2a$, etc.) indicating the hashing method
- Shadow file supports password aging policies: enforcing periodic password changes, setting minimum password age (preventing immediate reuse), and automatic account locking after password expiration
Overview
/etc/shadow is a critical system file in Linux and Unix-like operating systems that securely stores encrypted password information for user accounts. Introduced in 1989 with the shadow password suite, this file represents a major security advancement by separating sensitive authentication data from the world-readable /etc/passwd file.
The primary purpose of /etc/shadow is to protect password hashes from unauthorized access while maintaining backward compatibility with legacy systems. By restricting file permissions to the root user, the system prevents unprivileged users and attackers from obtaining encrypted passwords that could be subjected to offline brute-force attacks. This architectural design has become the standard for modern Unix-like systems, significantly improving overall system security posture.
How It Works
/etc/shadow contains one line per user account, with each line consisting of nine colon-separated fields that work together to manage authentication and account lifecycle:
- Username: The login name of the user account, matching the username in /etc/passwd for consistency and account linking
- Encrypted Password: The cryptographic hash of the user's password, generated using algorithms like SHA-512 ($6$), bcrypt ($2a$), or scrypt; begins with a $ character indicating the hashing method used
- Last Password Change: The number of days since January 1, 1970 (Unix epoch) when the password was last modified, enabling password aging calculations and enforcement
- Minimum Password Age: The minimum number of days required before a user can change their password again, preventing password reuse and unauthorized frequent changes
- Maximum Password Age: The maximum number of days a password remains valid before expiration, forcing users to create new passwords at regular intervals for enhanced security
- Password Warning Period: The number of days before password expiration when the system begins warning users about upcoming password changes, allowing adequate preparation time
- Password Inactivity Period: The number of days after password expiration during which the user can still log in with their expired password before account lockout occurs
- Account Expiration Date: The number of days since the Unix epoch when the entire account becomes disabled, regardless of password validity, used for temporary accounts or contract-based access
- Reserved Field: Currently unused field reserved for future functionality in the shadow file format specification
Key Comparisons
| Aspect | /etc/shadow | /etc/passwd |
|---|---|---|
| Access Permission | Readable only by root (mode 640 or 600) | Readable by all users (world-readable) |
| Contains | Encrypted password hashes and password aging data | User information like UID, GID, home directory, shell |
| Security Risk | Low; hashes protected from unauthorized access | Higher; visible to all users for potential attacks |
| File Size | Grows with each user account added to system | Similar growth pattern but contains different data types |
| Synchronization | Must be manually kept in sync with /etc/passwd entries | Primary user database file referenced during login |
Why It Matters
- Attack Prevention: By separating encrypted hashes from world-readable user information, /etc/shadow prevents attackers from obtaining password hashes for offline dictionary and brute-force attacks against user accounts
- Password Policy Enforcement: The file enables system administrators to enforce password aging policies, including mandatory password changes, minimum password age restrictions, and automatic account expiration for temporary users
- Administrative Control: System administrators can lock accounts, expire passwords, or set inactivity limits through /etc/shadow entries without modifying /etc/passwd, maintaining cleaner separation of concerns
- Compliance Requirements: Many security standards and compliance frameworks (including HIPAA, PCI-DSS, and CIS Benchmarks) require proper /etc/shadow configuration for achieving security certifications
The security significance of /etc/shadow cannot be overstated in modern Linux environments. Proper file permissions, regular backups, and monitoring of /etc/shadow changes are essential components of a comprehensive Unix-like system security strategy. System administrators must ensure that /etc/shadow and /etc/passwd remain synchronized while protecting /etc/shadow from unauthorized access through regular security audits and permission verification.
More What Is in Daily Life
Also in Daily Life
More "What Is" Questions
Trending on WhatAnswers
Browse by Topic
Browse by Question Type
Sources
- Linux man-pages: shadow(5)GPL-2.0
- The Linux Kernel DocumentationGPL-2.0
- Wikipedia: PasswdCC-BY-SA-4.0
Missing an answer?
Suggest a question and we'll generate an answer for it.