shadow password file

In the Linux operating system, a shadow password file is a system file in which encryption user password are stored so that they aren't available to people who try to break into the system. Ordinarily, user information, including passwords, is kept in a system file called /etc/passwd . The password for each user is stored in an encrypted form (some would call it an encoded form since it isn't really encrypted by the usual algorithm) that is created and used as follows:

  1. The original password is encrypted (or encoded) by using a randomly-generated value or encryption key between 1 and 4096 and a one-way hashing function to arrive at the encoded password that is actually stored. Note that the stored result is not something that you can enter as a password itself.
  2. The key (referred to as the salt) is stored with the encoded password. Note the key itself can't be used to decode the encrypted/encoded password because the encoding is one-way. You can't decode the result back into the original password by using the key.
  3. When someone enters a password, their password is then rehashed with the salt value and compared with the encoded password value. If they match, the user is given access to the system.

In spite of encoding the password with a randomly-generated one-way hash function, a cracker could still break the system if they got access to the /etc/passwd file. Using an approach known as the dictionary attack, a cracker could methodically test each encoded password in the file against their dictionary of commonly-used passwords, each encoded 4096 different ways (to cover all the hash possibilities). Assuming that the system was lax in its password creation requirements and some user used one of the many commonly-used passwords, at least one password could be discovered. In Linux, this possibility can be foreclosed by simply moving the passwords in the /etc/passwd file to another file, usually named /etc/shadow and making this file readable only by those who have access to the system root directory. Using a shadow password file requires that the Linux system installer also install the optional Shadow Suite, which, like Linux, is open source software and available from a number of sites on the Web.

This was last updated in June 2007

Continue Reading About shadow password file

Dig Deeper on Disk and file encryption tools