Users, groups, and permissionsIntermediate19 min read

What Does /etc/shadow Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

The /etc/shadow file keeps your computer passwords safe. When you log in, the system checks your password against the stored encrypted version in this file. Only the root user can read it, which helps protect everyone's passwords.

Commonly Confused With

/etc/shadowvs/etc/passwd

The /etc/passwd file stores user account information like username, UID, GID, home directory, and default shell. It is world-readable and does not contain password hashes in modern systems. The /etc/shadow file stores only security-sensitive data, including the password hash and aging info, and is restricted.

If you need to find a user's home directory, you look in /etc/passwd. If you need to check when their password expires, you look in /etc/shadow.

/etc/shadowvs/etc/gshadow

The /etc/gshadow file is the group equivalent of /etc/shadow. It stores encrypted group passwords (if set) and group administrator information. While /etc/shadow handles individual user passwords, /etc/gshadow handles group security.

To set a password for a group that allows non-members to join, that password is stored in /etc/gshadow. Your personal login password is stored in /etc/shadow.

/etc/shadowvs/etc/security/opasswd

The /etc/security/opasswd file stores old passwords for users, used by the password history feature (remember= in /etc/pam.d/passwd). While /etc/shadow stores the current password hash, opasswd stores previous hashes to prevent reuse.

If you try to change your password to something you used three months ago, the system checks /etc/security/opasswd and blocks the change. Your current password is always in /etc/shadow.

/etc/shadowvs/etc/shadow-

The /etc/shadow- file (with a dash) is a backup copy of /etc/shadow created by utilities like pwconv. It is not directly used for authentication but exists as a fallback if the main /etc/shadow becomes corrupted.

After running the command 'pwconv', a backup is created at /etc/shadow-. If you accidentally break /etc/shadow, you can copy this backup back to restore functionality.

Must Know for Exams

The /etc/shadow file is a high-frequency topic in certification exams such as CompTIA Linux+ (XK0-005), Red Hat Certified System Administrator (RHCSA), and the Linux Professional Institute (LPI) Linux Essentials and LPIC-1 exams. In the CompTIA Linux+ exam, it appears under Domain 2 (System Operation and Maintenance) and Domain 4 (Security), specifically objectives related to user and group management, password policies, and file permissions. For RHCSA, it is tested in the context of managing local users and groups, configuring password aging, and securing system files.

Exam questions typically ask about the file's location (always /etc/shadow), its permissions (often 000 or 640, owned by root:shadow), and its nine colon-separated fields. You may be given a sample line and asked to interpret the password hash type (e.g., $6$ means SHA-512) or identify which field controls the minimum password age. Multiple-choice questions may present scenarios where you need to determine why a user cannot change their password-often because the minimum age field (field 4) has not elapsed.

Other question formats include command-based scenarios: "Which command would you use to lock a user account?" (usermod -L or passwd -l, which adds an exclamation mark to the hash field in /etc/shadow). You might also be asked to configure password aging using chage, which directly manipulates the /etc/shadow fields. Performance-based questions (PBQs) in Linux+ may have you edit /etc/shadow directly to unlock an account or set an expiration date. Knowing the structure and purpose of each field is critical for these tasks.

Simple Meaning

Think of /etc/shadow as a highly secure safe inside a castle, where the keys to every room are kept. In the world of Linux and Unix computers, every user has a password, and those passwords need to be stored somewhere so the computer can check them when you log in. But storing passwords in plain text is like leaving your house key under the doormat-anyone can find it and use it. That is why the /etc/shadow file exists.

This file contains something called a hash of your password, not the password itself. A hash is like a special, one-way digital fingerprint. If your password is "dolphin", the computer runs it through a mathematical process that turns it into a long, scrambled string of characters, like "$6$xyz123$abc...". Even if someone steals the hash, they cannot easily figure out that your password is "dolphin" because hashing is a one-way street-you cannot unscramble the egg.

The /etc/shadow file also keeps track of important password rules, such as when you last changed your password, when it will expire, and how many days you must wait before changing it again. Only a special administrator account called root can read or edit this file, which is why it is called "shadow"-it is hidden away from regular users. If an ordinary user tries to look at it, the system says "Permission denied." This file is a fundamental part of keeping a Linux system secure, and every IT professional who works with Linux needs to understand how it works.

Full Technical Definition

The /etc/shadow file is a critical component of Linux and Unix user authentication, serving as the secure repository for encrypted password hashes and password aging information. It is part of the Shadow Password Suite, a set of utilities designed to replace the older, less secure practice of storing password hashes in the world-readable /etc/passwd file.

The file is owned by the root user and the shadow group, with permissions typically set to 000 or 640, meaning only root or members of the shadow group can read it. This prevents unprivileged users from accessing the stored hashes, which would otherwise be vulnerable to offline brute-force attacks. Each line in the file corresponds to one user account and is colon-separated into nine fields: username, encrypted password hash, last password change date (in days since January 1, 1970), minimum password age, maximum password age, password warning period, password inactivity period, account expiration date, and a reserved field.

The password hash field can contain various hash types, indicated by a prefix. For example, a hash starting with "$1$" is MD5, "$2a$" or "$2y$" is Blowfish, "$5$" is SHA-256, and "$6$" is SHA-512-the most common on modern systems. A hash value of "*" or "! " means the account is locked and cannot be used for login, while an empty field allows login without a password (a serious security risk). The password aging fields enforce policies such as forcing users to change passwords periodically, preventing reuse of old passwords, and disabling inactive accounts.

The /etc/shadow file interacts with the Pluggable Authentication Module (PAM) system, which handles the actual authentication process. When a user logs in, PAM calls the pam_unix module, which reads the hash from /etc/shadow, hashes the entered password with the same algorithm and salt, and compares the two hashes. If they match, access is granted. This file is also consulted by commands like passwd, chage, and usermod, which modify user password settings. In enterprise environments, /etc/shadow may be managed through network information services like LDAP or centralized authentication, but its local role remains foundational.

Real-Life Example

Imagine your apartment building has a central mailbox area. Each resident has a mailbox with a number. The building manager keeps a master list of mailbox numbers and their corresponding keys-but the list doesn't say "John's key opens box 7." Instead, it has a special code for each key that only the manager can decode. If you lose your key, you can't just look up a spare; you must prove your identity to the manager.

In this analogy, the master list is the /etc/shadow file. The mailbox numbers are the usernames, and the codes are the password hashes. The building manager is the root user, the only one allowed to see the list. When you try to get your mail (log in), you must first show your key (enter your password). The manager checks whether your key's code matches the one on the list. If it does, you can open your mailbox.

The manager also enforces rules: if you haven't picked up your mail in 90 days, your mailbox gets locked (account expiration). If you try to use the same key you used last month, the manager checks a rule that says you cannot reuse a key (password history). This centralized, secure list keeps every resident's mail safe because no one else can see everyone's keys. In Linux, /etc/shadow plays that same guardian role for user passwords.

Why This Term Matters

The /etc/shadow file matters because it is the backbone of password security on virtually every Linux system. Without it, password hashes would be stored in the /etc/passwd file, which is readable by every user on the system. That would be like posting everyone's encrypted keys on a public bulletin board-still encrypted, but now any user could download them and try to crack them offline using freely available tools like John the Ripper or Hashcat.

For IT professionals, understanding /etc/shadow is essential for system administration, security auditing, and incident response. When a user forgets their password, you need to know how to reset it using the passwd command, which updates /etc/shadow. When setting up password policies for a company, you use the chage command to configure password aging, which directly modifies the fields in this file. If you suspect a breach, one of the first forensic steps is to examine /etc/shadow for unusual entries or locked accounts.

in enterprise environments with hundreds or thousands of users, consistent password policies are critical for compliance with standards like PCI-DSS, HIPAA, or ISO 27001. These regulations often require password expiration, complexity, and account lockout rules-all enforced through the /etc/shadow file. Misconfiguring this file can lead to security vulnerabilities, such as allowing password-less logins or never expiring passwords. Therefore, a solid grasp of /etc/shadow is not optional for Linux administrators; it is a core competency.

How It Appears in Exam Questions

Exam questions about /etc/shadow appear in several patterns. The first type is definition and purpose: "What is the primary purpose of the /etc/shadow file?" The correct answer is to store encrypted password hashes and password aging data. A distractor might be "to store user account information like UID and GID," which belongs in /etc/passwd.

A second pattern is field identification. You may see a line like "jdoe:$6$abc123$xyz:18500:5:90:7:30::" and be asked which field represents the maximum password age. The correct answer is the fifth field (90 days), because field 3 is last change, field 4 is minimum age, field 5 is maximum age, field 6 is warning period, field 7 is inactivity period, and field 8 is expiration date.

A third pattern is troubleshooting. For example: "A user reports they cannot log in, and you see '!' at the start of the hash field in /etc/shadow. What is the issue?" The answer is that the account is locked. You might then be asked to unlock it with "usermod -U username" or by removing the '!' manually. Another scenario: "A user cannot change their password and receives the error 'Password has been used recently.' Which field in /etc/shadow is responsible?" The answer is the minimum password age field (field 4).

Configuration questions are also common: "You need to force all users to change their passwords every 60 days. Which command modifies /etc/shadow to achieve this?" The answer is "chage -M 60 username" or "chage --maxdays 60 username". These patterns show that exams require both memorization of the file structure and practical command knowledge.

Study CompTIA Linux+

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior system administrator at a small company. The CEO calls you because Bob from accounting cannot log into his Linux workstation. Bob says he typed his password correctly, but the system keeps rejecting him. You remote into the server and check the /etc/shadow file for Bob's account. You see this line:

bob:$6$saltsalt$abcdefghijk:18500:0:99999:7:30:19000:

The line looks normal at first-the hash starts with $6$, meaning it uses SHA-512 encryption. But you notice that field 8 (account expiration date) has a value of 19000. You check the current system date in days since 1970 using the command "echo $(($(date +%s)/86400))" and get 19100. That means Bob's account expired 100 days ago.

You explain to the CEO that Bob's account was set to expire on a specific date, and that date has passed. You use the command "usermod -e "" bob" to clear the expiration field, or "chage -E -1 bob" to remove the expiration. Bob tries logging in again and succeeds. To prevent this in the future, you write a policy to never set automatic account expirations unless someone leaves the company, and you teach the HR team to revoke access properly using the passwd -l command instead.

Common Mistakes

Thinking /etc/shadow is a world-readable file like /etc/passwd.

The /etc/shadow file is intentionally protected with strict permissions (usually 000 or 640) so only root and the shadow group can read it. Making it world-readable would expose password hashes to anyone, enabling offline cracking.

Always check permissions with 'ls -l /etc/shadow'. If it shows something like '-rw-r--r--', fix it with 'chmod 000 /etc/shadow' or 'chmod 640 /etc/shadow'.

Confusing password hash field with the actual password.

The /etc/shadow file stores a one-way hash of the password, not the password itself. A hash cannot be reversed to recover the original password. This is a fundamental security principle.

Remember that passwords are never stored in plain text anywhere on a secure Linux system. The hash is just a fingerprint used for verification.

Editing /etc/shadow directly with a text editor instead of using proper commands like passwd or usermod.

Manually editing /etc/shadow can lead to syntax errors, corrupted fields, or incorrectly formatted hash strings, potentially locking users out of the system. Also, if you edit while someone is changing their password, you can cause data loss.

Always use the intended commands: passwd (change password), usermod (lock/unlock, set expiration), chage (password aging). If you must edit directly, use vipw -s which locks the file.

Assuming that an empty hash field means the account is secure.

An empty hash field in /etc/shadow allows login with any password or even no password, which is a huge security vulnerability. It means no authentication is required.

If you see an empty hash field for an account, immediately set a password using 'passwd username' or lock the account with 'passwd -l username'.

Forgetting that /etc/shadow is only for local user authentication, not for network-based authentication like LDAP or Kerberos.

While /etc/shadow is crucial for local users, many enterprise systems use centralized authentication. Changes made to /etc/shadow will not affect users authenticating via LDAP or Active Directory.

Know the authentication sources on your system. Use 'getent shadow username' to check if a user is local or coming from a network source. Manage network users with their respective tools.

Exam Trap — Don't Get Fooled

{"trap":"The question asks: 'Which file stores user passwords in encrypted form?' The answer choices include /etc/passwd, /etc/shadow, /etc/security, and /etc/gshadow. Many learners pick /etc/passwd because it contains user information and historically held hashes."

,"why_learners_choose_it":"Older Unix systems (and some older textbooks) mention that encrypted passwords were stored in /etc/passwd. Learners who haven't updated their knowledge may think this is still the case. Also, /etc/passwd is more commonly referenced in basic Linux courses, so it's familiar."

,"how_to_avoid_it":"Remember the distinction: /etc/passwd contains user account info (username, UID, GID, home directory, shell) but NEVER password hashes in modern systems. The password hash is always in /etc/shadow, which is not world-readable. If an exam question mentions 'encrypted passwords', think /etc/shadow."

Step-by-Step Breakdown

1

User presses Enter after typing their password

The login process begins when a user submits their credentials. The system must verify this information without exposing the actual password to anyone, including the user themselves.

2

PAM module pam_unix.so reads the username from the login prompt

The Pluggable Authentication Module (PAM) framework takes over. The pam_unix module locates the user's entry in /etc/shadow by matching the provided username. This file is opened only because the process runs as root.

3

The module extracts the hash prefix and salt from the stored hash

The stored hash in /etc/shadow includes a prefix (like $6$ for SHA-512) and a salt (a random string). The salt ensures that even if two users have the same password, their hashes will be different. This is a defense against rainbow table attacks.

4

The entered password is hashed using the same algorithm and salt

PAM takes the password the user typed and runs it through the same cryptographic hash function (e.g., SHA-512) using the same salt that was stored. This produces a new hash value.

5

The newly computed hash is compared to the stored hash

If the two hashes match exactly, the password is correct. Because hashing is deterministic-the same input always produces the same output-a match proves the user entered the right password. If they differ, authentication fails and access is denied.

6

Password aging checks are performed (if configured)

Even if the hash matches, the system checks fields in /etc/shadow like maximum password age (field 5) and inactivity period (field 7). If the password has expired, the user may be forced to change it before proceeding. This ensures security policies are enforced.

7

Login is granted or denied based on the result

If all checks pass-hash matches and password aging is acceptable-the user is allowed into the system. If any check fails, an error message is displayed and login is rejected. Failed attempts may be logged in /var/log/secure for auditing.

Practical Mini-Lesson

As a Linux administrator, you will interact with /etc/shadow in several common scenarios. The most frequent task is resetting forgotten passwords. You simply run the 'passwd username' command as root. This changes the password hash in /etc/shadow, and you never need to worry about the format because the system handles it. However, you should know that passwd uses the system's configured hash algorithm (usually SHA-512) and automatically generates a new salt.

Another common task is locking and unlocking accounts. If an employee leaves the company, you should lock their account rather than delete it immediately-this preserves files and prevents future login. Locking is done with 'usermod -L username' or 'passwd -l username', which places an exclamation mark (!) at the beginning of the password hash field. To unlock, use 'usermod -U username' or 'passwd -u username'. Never simply delete the exclamation mark manually unless you know exactly what you are doing; the command tools are safer.

Password aging is a critical administrative function. The 'chage' command allows you to view and modify all aging fields in /etc/shadow. For example, 'chage -M 90 username' sets the maximum password age to 90 days, meaning the user must change their password after that period. 'chage -m 1 username' sets a minimum of 1 day before another change, preventing users from cycling through passwords to reuse an old one. You can also set an account expiration date with 'chage -E YYYY-MM-DD username', which is useful for temporary employees or contractors.

What can go wrong? A common mistake is using a text editor like vi to edit /etc/shadow directly. If you accidentally delete a colon or change a digit, you may lock out a user or cause a system crash. Always use vipw -s, which locks the file and provides a safer editing environment. Another issue is forgetting that password aging fields use days since 1970. You cannot just type a date; you must calculate the epoch day. Fortunately, the 'chage' command accepts human-readable dates and converts them automatically.

For security professionals, auditing /etc/shadow is part of a penetration test or compliance check. You might run a script to detect accounts with empty passwords, accounts that never expire, or accounts with weak hash algorithms (like MD5). Modern systems should use SHA-512 ($6$). If you find $1$ (MD5) hashes, they are weaker and should be updated. You can force a user to upgrade their hash by setting a new password.

Finally, remember that /etc/shadow is local. In larger environments with LDAP or Active Directory, the local shadow file may be empty or contain only system accounts. You need to understand the authentication flow: PAM will check local files first if configured, then fall back to network sources. The 'getent shadow username' command shows the shadow entry regardless of the source, which is useful for troubleshooting.

Memory Tip

Remember the nine fields of /etc/shadow as 'U H L M W I E R R'-Username, Hash, Last change, Minimum age, Maximum age, Warning period, Inactivity period, Expiration date, Reserved.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

XK0-005XK0-006(current version)

Related Glossary Terms

Frequently Asked Questions

Can I view the /etc/shadow file as a regular user?

No, by default the /etc/shadow file is only readable by root and members of the shadow group. If you try to view it with cat or less as a regular user, you will get a 'Permission denied' error.

What happens if I delete the entire /etc/shadow file?

Deleting /etc/shadow would break user authentication because the system cannot verify passwords. Users may be able to log in without a password depending on PAM configuration, but it creates a serious security risk. Always have a backup.

How do I change the hash algorithm used for new passwords?

You can configure the default hash algorithm in /etc/login.defs by setting the ENCRYPT_METHOD variable (e.g., ENCRYPT_METHOD SHA512). Existing users' passwords are not automatically rehashed; they will be updated the next time each user changes their password.

What is the difference between an exclamation mark and an asterisk in the password hash field?

An exclamation mark (!) at the start of the hash field indicates the account is locked. An asterisk (*) typically means the account is disabled and cannot be used for login, often used for system accounts. Both prevent login but are set differently.

How can I check when a user's password expires?

Use the 'chage -l username' command. It displays all password aging information from /etc/shadow in a human-readable format, including last change, expiration date, and warning period.

Is /etc/shadow used in containerized environments like Docker?

Yes, Docker containers based on Linux distributions also use /etc/shadow for local user authentication. However, containers are often designed to run as root or a single user, and modifying /etc/shadow inside a container is common for setting up users.

Summary

The /etc/shadow file is a fundamental component of Linux security, storing encrypted password hashes and password aging information in a protected, restricted-access file. It replaced the older practice of keeping password hashes in the world-readable /etc/passwd file, significantly improving system security. Every field in /etc/shadow serves a specific purpose-from username and hash to expiration and inactivity periods-and understanding these fields is essential for administering user accounts and enforcing password policies.

For IT certification exams like CompTIA Linux+ and RHCSA, the /etc/shadow file appears in questions about file permissions, user management commands, password aging, and account locking. You must know the file's location, ownership, permissions, and the meaning of each colon-separated field. Common exam traps include confusing /etc/shadow with /etc/passwd or misunderstanding the significance of special hash prefixes.

In real-world practice, you will use commands like passwd, usermod, and chage to manipulate /etc/shadow safely, rather than editing the file directly. Regular audits of this file help identify accounts with weak hashes, empty passwords, or improper aging settings. Mastering /etc/shadow not only helps you pass exams but also equips you to manage user authentication securely in any Linux environment.