On a Unix system, there is a file, /etc/passwd, that traditionally holds account information. As an example, typically this file contains a user's username, password, user and group id, other information like the last time they changed their password and when they must change it by, their home directory, default shell, and lastly, personal information like their full name, office location and phone number.
If you think over that information, you can see that it ranges from information that is pretty public -- like full name -- to information that is very private, like their password. Furthermore, since this is stored in a sequential file, if you can see one piece of information about a user, you can see them all.
Shadow password files are a mechanism to separate the public information about a user from the private information about a user. One way this is implemented, the shadow password file is /etc/shadow and is protected much more strongly than /etc/passwd. The passwd file is world-readable, but the shadow file is only readable by root. There are OS functions for changing its contents, rather than just having it be done by file access. It contains the password and other relevant information, like the last time it was changed, when it will expire, if the account should be disabled if the password expires and so on.
To sum up, the file /etc/passwd contains data about a user that should not be world-readable. Shadow password files create a file with tighter protection as a way of protecting the sensitive fields of the data about a user.
For more information on this topic, visit these other searchSecurity resources:
Best Web Links: Unix security
Best Web Links: Passwords/Authentication
Featured Topic: Passwords
This was first published in February 2002