What are shadow passwords?

Shadow passwords are an enhancement to login security on Unix systems. Traditionally, passwords are kept in encrypted form in a world-readable table ( /etc/passwd ). To test a password, a program encrypts the given password with the same "key" (salt) that was used to encrypt the password stored in the /etc/passwd file (the salt is always given as the first two characters of the password). Because the encrypted passwords are not "decryptable", authentication takes place by comparison. If the /etc/passwd/ file password matches the encrypted login password, the user is granted access.

Although this scheme is reasonably secure, it is still subject to break-in attempts, such as the "dictionary attack", where common or likely passwords are encrypted and tested against the /etc/passwd/ file until a match is found. For a good password, these types of attacks can take a long time (since, on most systems, there are literally over 10,000 trillion possible passwords). However, many users choose common words, combinations of common words, or variants on personal data for their passwords. These are easily cracked, often within a few hours.

To reduce the vulnerability of a world-readable password file, many newer Unix systems utilize shadow password files. The traditional password file is maintained in /etc/passwd (as it contains more than just password information), but the actual encrypted passwords, along with expiration data, are kept in a file that can only be read or used by root (the Unix Administrator account). Processes which require access to the shadow password file must be owned by root or be granted root level permissions before access is obtained, which provides much greater security against password snooping.

Also see:

• Passwords and passphrases