What are shadow passwords?
Shadow passwords are an enhancement to login security on
Unix systems. Traditionally, passwords are kept in
encrypted form in a world-readable table
/etc/passwd ). To test a password, a program
encrypts the given password with the same "key" (salt) that was used
to encrypt the password stored in the
(the salt is always given as the first two characters of the
password). Because the encrypted passwords are not "decryptable",
authentication takes place by comparison. If the
/etc/passwd/ file password matches the encrypted login
password, the user is granted access.
Although this scheme is reasonably secure, it is still subject to
break-in attempts, such as the "dictionary attack", where common or
likely passwords are encrypted and tested against the
/etc/passwd/ file until a match is found. For a good
password, these types of attacks can take a long time (since, on most
systems, there are literally over 10,000 trillion possible passwords).
However, many users choose common words, combinations of common words,
or variants on personal data for their passwords. These are easily
cracked, often within a few hours.
To reduce the vulnerability of a world-readable password file, many
newer Unix systems utilize shadow password files. The traditional
password file is maintained in
/etc/passwd (as it
contains more than just password information), but the actual
encrypted passwords, along with expiration data, are kept in a file
that can only be read or used by root (the Unix Administrator
account). Processes which require access to the shadow password file
must be owned by root or be granted root level permissions before
access is obtained, which provides much greater security against password
Last modified on February 19, 2013.