/etc/shadow

Updated: April 19, 2023

This file stores hashed passwords and other account and password information.

Each line in /etc/shadow is in the following format:

username:password:last_change:min_age:max_age:warning:inactivity:expiry:reserved
username
The user's login name. It must be a valid username that exists on the system.
password
The user's hashed password.

If the password field contains a string that is not a valid hash of the password, the user cannot log in.

This field can be empty. When it is empty, it may be possible to log in as the corresponding user without specifying a password, depending on the application that performs the authentication or the configuration of the PAM module that performs the authentication.

If the password field starts with an exclamation mark, the password is locked. The characters that follow the exclamation mark are the password hash before the password was locked.

The password is captured in one of the following formats:
  • @digest@hash@salt
  • @digest,iterations@hash@salt
where:

digest is a single character that indicates which digest function was used to hash the password. The following values are currently allowed: s (sha256), S (sha512).

iterations is the number of iterations to perform during key derivation. If not specified, the default value of 4096 is used.

hash is the Base64-encoded hashed password.

salt is the Base64-encoded salt value.
  • A salt is a randomly generated sequence of bytes that can be used to change the output of a cryptographic function. In practice, every password saved in /etc/shadow is hashed with a different salt, which makes it more difficult for an attacker to crack them.
last_change
The date of the last password change, expressed as the number of days since the start of the Unix Epoch.
min_age
The minimum number of days the user must wait after changing the password before he or she can change it again.

An empty field or 0 specifies that no wait time is required.

max_age
When this number of days has passed after a password change, the user must change his or her password again. After this number of days has passed, the user is prompted to change the password the next time he or she logs in.

An empty field or a value of 0 specifies that there is no maximum number of days after which the user must change his or her password.

warning
The number of days before the password is set to expire that users are warned that they must change their password.

An empty field or a value of 0 specifies that no warning is given.

inactivity
The password expiration date. Not currently implemented.
expiry
The account expiration date, expressed as the number of days since the Unix Epoch.

An empty field or a value of 0 specifies that the account never expires.

reserved
Reserved for future use.