In Linux, when you create a user (using useradd command) the account information such as username, UID, GID etc are stored in a system file /etc/passwd and secure account information such as encrypted password, last changed, expire date etc are stored in another file called /etc/shadow. In this article we will understand how the file /etc/shadow is configured. The file /etc/shadow can be read only by the system user ‘root’.
Each system user will have an entry in /etc/shadow file. There are 8 fields per line each separated by a “colon :”. A sample entry is as follows.
The username of the user to login.
This is the encrypted password of the user. This requires an x in the second column of /etc/passwd. The password should be minimum 6-8 characters long including special characters/digits. You may see “!” or “*” in place of encrypted password for some users. “!” means the account has a null password and * means the account is locked.
The “$1$” in the encrypted password shows that MD5 hash algorithm is used for encryption.
$1$ = MD5
$2$ = Blowfish
$5$ = SHA256
$6$ = SHA512
3. Last change
Date of the last password change, in number of days after January 1, 1970.
4. Minimum days
Minimum number of days that you must keep a password. You won’t be able to change the password before that.
5. Maximum days
Maximum number of days after which a password must be changed
This represents the number of days before password expiration when a warning is given.
Number of days after password expiration when an account is made inactive
days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used
How the encrypted password works
The algorithm used to encrypt the password field is technically referred to as a one way hash function. This is an algorithm that is easy to compute in one direction, but very difficult to calculate in the reverse direction.
When a user is provided a password, it is encoded with a randomly generated value called the salt. This means that any particular password could be stored in 4096 different ways. The salt value is then stored with the encrypted password.
When a user logs in and supplies a password, the salt is first retrieved from the stored encrypted password. Then the supplied password is encoded with the salt value, and then compared with the encrypted password. If the passwords match, then the user is authenticated.
So, it is always recommended to select passwords which is strong- contains a mixing of alphabets, digits and special symbols- and avoid selecting dictionary words.