Oct 8, 2023 4 min read

Understanding the /etc/shadow File

Understand /etc/shadow file with our step-by-step tutorial. The /etc/shadow file secures user accounts in Linux systems.

Understanding the /etc/shadow File
Table of Contents


On Linux systems, there are various alternative authentication mechanisms that can be employed. The most frequent and conventional technique is to use the /etc/passwd and /etc/shadow files for authentication.

The /etc/shadow file is a critical component of user account security in Linux-based operating systems. It stores encrypted user passwords and other account-related information, allowing for secure authentication and protection against unauthorized access.

In this tutorial, you will understand the /etc/shadow File. We will also address a few FAQs on /etc/shadow File.

/etc/shadow Format

Each user account is represented by one item per line in the /etc/shadow file. A text editor or a command like cat can be used to view the contents of the file.

sudo cat /etc/shadow

The root user is usually described first, followed by the system and standard user accounts. At the conclusion of the file, new items are appended.

The /etc/shadow file has nine comma-separated fields on each line:

[--] [----] [---] - [---] ----
|      |      |   |   |   |||+-----------> 9. Unused
|      |      |   |   |   ||+------------> 8. Expiration date
|      |      |   |   |   |+-------------> 7. Inactivity period
|      |      |   |   |   +--------------> 6. Warning period
|      |      |   |   +------------------> 5. Maximum password age
|      |      |   +----------------------> 4. Minimum password age
|      |      +--------------------------> 3. Last password change
|      +---------------------------------> 2. Encrypted Password
+----------------------------------------> 1. Username
  1. Username. When you log into the system, you type this string. The system's existing user account.
  2. Encrypted Password. $type$salt$hashed format is used for the password. The cryptographic hash algorithm method $type can take the following values:
  • $1$ – MD5
  • $2a$ – Blowfish
  • $2y$ – Eksblowfish
  • $5$ – SHA-256
  • $6$ – SHA-512

The user will not be able to login to the system using password authentication if the password field contains an asterisk (*) or an exclamation point (!). Other means of authentication, such as key-based authentication or switching to the user, are still permitted.

The user's encrypted password was stored in the /etc/passwd file on older Linux systems.

3. Last password change. This is the most recent time the password was updated. Since January 1, 1970, the number of days has been counted (epoch date).

4. Minimum password age. The number of days that must elapse before changing a user's password. It's usually set to zero, which means there's no minimum password age requirement.

5. Maximum password age. The number of days that have passed after the user's password has been changed. This number is set to 99999 by default.

6. Warning period. The number of days before a password expires that the user is notified that it needs to be updated.

7. Inactivity period. The number of days before a user's account is disabled once their password expires. This field is usually left blank.

8. Expiration date. When the account was disabled, this was the date. An epoch date is used to represent it.

9. Unused. This field is unimportant. It has been set aside for future usage.

If you don't know what you're doing, don't alter the /etc/shadow file by hand. Always use a command that is specifically intended for the task at hand. Use the passwd command to change a user's password, and the chage command to alter the password aging information.

Example Entry

Take a look at the following scenario:


The following is information about the password for the user "vegastack":

  • SHA-512 is used to encrypt the password (the password is truncated for better readability).
  • On April 23, 2019 - 18009, the password was last changed.
  • There is no such thing as a minimum password age.
  • At least once every 120 days, the password must be changed.
  • A warning message will be sent to the user seven days before the password expiration date.
  • The account will be disabled if the user does not attempt to login to the system for 14 days after the password has expired.
  • There is no time limit on the account.

FAQs for Understanding the /etc/shadow File

Where is the /etc/shadow file located?

The /etc/shadow file is located in the /etc directory in Linux-based operating systems.

Who can access the /etc/shadow file?

By default, only the root user and users with administrative privileges can read and modify the /etc/shadow file.

What are the fields stored in the /etc/shadow file?

The fields in the /etc/shadow file typically include the username, encrypted password, password last change date, password minimum age, password maximum age, password warning period, account expiration date, and more.

How are passwords stored in the /etc/shadow file?

Passwords in the /etc/shadow file are stored in an encrypted or hashed format using various algorithms like MD5, SHA-256, or bcrypt.

What happens when the /etc/shadow file is compromised?

If the /etc/shadow file is compromised, an attacker can potentially retrieve encrypted passwords. It is essential to safeguard this file with proper permissions and security measures.

How can I view the contents of the /etc/shadow file?

Only privileged users can view the contents of the /etc/shadow file using commands such as sudo cat /etc/shadow or sudo less /etc/shadow.

Can the /etc/shadow file be edited manually?

Editing the /etc/shadow file manually is generally not recommended. Instead, use proper commands (e.g., passwd) to modify user password information, as they handle the necessary encryption and validation.

How can I restore a corrupted /etc/shadow file?

If the /etc/shadow file becomes corrupted, restoring it from a backup is the best course of action. If a backup is not available, manual reconstruction of the file may be required using the available authentication credentials.


The /etc/shadow file keeps track of encrypted user passwords as well as other password-related data.

If you have any queries, please leave a comment below and we’ll be happy to respond to them.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to DevOps Tutorials - VegaStack.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.