/etc/shadow is the file that actually holds users' hashed passwords, together with password-aging information. It was introduced in the 1980s when growing CPU power made offline cracking of the passwords in world-readable /etc/passwd practical. By moving the hashes to a root-readable-only file, shadow passwords dramatically improved security.
A shadow entry looks like:
username:hash:lastchange:min:max:warn:inactive:expire:reserved
alice:$6$salt$Saj...LongHash...:19876:0:99999:7:::
The hash field encodes the algorithm, salt, and hash: $1$ is old MD5, $5$ is SHA-256, $6$ is SHA-512, and $y$/$argon2id$ are modern password hashes like yescrypt and argon2. An asterisk or ! means the account is locked (no password will match). The numeric fields control minimum and maximum password age and warnings.
Only root can read /etc/shadow, and direct editing is done with vipw -s. Commands like passwd, chage, and usermod -L/-U manipulate it safely. On systems using external authentication (LDAP, Kerberos), shadow may contain only the local admin accounts and ! placeholders for centrally managed users.
Related terms: /etc/passwd
Discussed in:
- Chapter 9: Users, Groups, and Permissions — /etc/passwd and /etc/shadow
Also defined in: Textbook of Linux