In the Linux operating system, a shadow password file is a system file in which encryption user password are stored so that they aren't available to people who try to break into the system. Ordinarily, user information, including passwords, is kept in a system file called
. The password for each user is stored in an encrypted form (some would call it an encoded form since it isn't really encrypted by the usual algorithm) that is created and used as follows:
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
- The original password is encrypted (or encoded) by using a randomly-generated value or encryption key between 1 and 4096 and a one-way hashing function to arrive at the encoded password that is actually stored. Note that the stored result is not something that you can enter as a password itself.
- The key (referred to as the salt) is stored with the encoded password. Note the key itself can't be used to decode the encrypted/encoded password because the encoding is one-way. You can't decode the result back into the original password by using the key.
- When someone enters a password, their password is then rehashed with the salt value and compared with the encoded password value. If they match, the user is given access to the system.
In spite of encoding the password with a randomly-generated one-way hash function, a cracker could still break the system if they got access to the
file. Using an approach known as the dictionary attack, a cracker could methodically test each encoded password in the file against their dictionary of commonly-used passwords, each encoded 4096 different ways (to cover all the hash possibilities). Assuming that the system was lax in its password creation requirements and some user used one of the many commonly-used passwords, at least one password could be discovered. In Linux, this possibility can be foreclosed by simply moving the passwords in the
file to another file, usually named
and making this file readable only by those who have access to the system root directory. Using a shadow password file requires that the Linux system installer also install the optional Shadow Suite, which, like Linux, is open source software and available from a number of sites on the Web.