/etc/shadow file


This files stores passwords in an encrypted mode, in modern Unix-like systems, (later than 1990). Before this date the passwords were stored in the /etc/passwd file.

In the passwd file the passwords were also shadowed, but because any user has access to it, (read permission, only root can write), the access to the shadowed file, make it easy to appy brute force break passwords attempts.

How to avoid such brute force attacks?

According to Wikipedia.

Systems administrators can reduce the likelihood of such brute force attacks by making the list of hashed passwords unreadable by unprivileged users. The obvious way to do this is to make the passwd database itself readable only by the root user. However, this would restrict access to other data in the file such as username-to-userid mappings, which would break many existing utilities and provisions. One solution is a "shadow" password file to hold the password hashes separate from the other data in the world-readable passwd file. For local files, this is usually /etc/shadow on Linux and Unix systems, or /etc/master.passwd on BSD systems; each is readable only by root. (Root access to the data is considered acceptable since on systems with the traditional "all-powerful root" security model, the root user would be able to obtain the information in other ways in any case). Virtually all recent Unix-like operating systems use shadowed passwords.

/etc/shadow file parts

This file contains 7 fields separated by a colon (:), which are:

  1. User login name
  2. salt and hashed password OR a status exception value e.g:
    1. "NP" or "!" or null - No password, the account has no password.
    1. "LK" or "*" - the account is Locked, user will be unable to log-in
    1. "!!" - the password has expired
  3. Days since Jan 1st of 1970 last password change
  4. Days until change allowed
  5. Days before change required
  6. Days warning for expiration
  7. Days before account inactive
  8. Days since Jan 1st of 1970 when account expires
  9. Reserved