What Are Shadow Passwords?

On a basic Linux system, passwords are stored in the /etc/passwd file. This is usually OK for a single-user system, but on a multi-user system, such as a server, the passwords should be hidden and encrypted. Shadow passwords allow you to do just that . On Red Hat Enterprise Linux and CentOS, the shadow-utils package provides shadow password support. For security reasons, it is installed by default.

With shadow passwords, the encrypted password hashes are moved from /etc/passwd, which is world-readable, to /etc/shadow, which only the root administrator can read. Shadow passwords also allow the administrator to set security policies for passwords through the /etc/login.defs file and store information about password aging.

The primary advantage of having a shadow file is that unauthorized users cannot access the passwd file in an attempt to decrypt password hashes. When a user creates a password, the Linux system rehashes the password using a randomly-generated value or encryption key. When the user logs in using the plain text password, the system then authenticates it by comparing it to the encoded password value in /etc/passwd.

In a brute force attack, for example, the attacker may gain access to the world-readable passwd file and attempt to crack the password hashes. By storing the password hashes in a root-only file, /etc/shadow, even a brute force attacker would not be able to gain access to it.