What are shadow passwords?

Shadow passwords are an enhancement to login security on Unix systems. Traditionally, passwords are kept in encrypted form in a world-readable table (/etc/passwd). To test a password, a program encrypts the given password with the same "key" (salt) that was used to encrypt the password stored in the /etc/passwd file (the salt is always given as the first two characters of the password). Because the encrypted passwords are not "decryptable", authentication takes place by comparison. If the /etc/passwd file password matches the encrypted login password, the user is granted access.

Although this scheme is reasonably secure, it is still subject to break-in attempts, such as the "dictionary attack", where common or likely passwords are encrypted and tested against the /etc/passwd file until a match is found. For a good password, these types of attacks can take a long time (since, on most systems, there are literally over 10,000 trillion possible passwords). However, many users choose common words, combinations of common words, or variants on personal data for their passwords. These are easily cracked, often within a few hours.

To reduce the vulnerability of a world-readable password file, many newer Unix systems use shadow password files. The traditional password file is maintained in /etc/passwd (as it contains more than just password information), but the actual encrypted passwords, along with expiration data, are kept in a file that can only be read or used by root (the Unix Administrator account). Processes which require access to the shadow password file must be owned by root or be granted root level permissions before access is obtained, which provides much greater security against password snooping.

Related documents

This is document aezz in the Knowledge Base.
Last modified on 2017-05-16 11:50:22.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.