This file stores hashed passwords and other account and password information.

Each line in /etc/shadow is in the following format:

The user's login name. It must be a valid username that exists on the system.
The user's hashed password.

If the password field contains a string that is not a valid hash of the password, the user cannot log in.

This field can be empty. When it is empty, it may be possible to log in as the corresponding user without specifying a password, depending on the application that performs the authentication or the configuration of the PAM module that performs the authentication.

If the password field starts with an exclamation mark, the password is locked. The characters that follow the exclamation mark are the password hash before the password was locked.

The password is captured in one of the following formats:
  • @digest@hash@salt
  • @digest,iterations@hash@salt

digest is a single character that indicates which digest function was used to hash the password. The following values are currently allowed: s (sha256), S (sha512).

interations is the number of iterations to perform during key derivation. If not specified, the default value of 4096 is used.

hash is the Base64-encoded hashed password.

salt is the Base64-encoded salt value.

The date of the last password change, expressed as the number of days since the start of the Unix Epoch.
The minimum number of days the user must wait after changing the password before he or she can change it again.

An empty field or 0 specifies that no wait time is required.

When this number of days has passed after a password change, the user must change his or her password again. After this number of days has passed, the user is prompted to change the password the next time he or she logs in.

An empty field or a value of 0 specifies that there is no maximum number of days after which the user must change his or her password.

The number of days before the password is set to expire that users are warned that they must change their password.

An empty field or a value of 0 specifies that no warning is given.

The password expiration date. Not currently implemented.
The account expiration date, expressed as the number of days since the Unix Epoch.

An empty field or a value of 0 specifies that the account never expires.

Reserved for future use.