Shadow password

Shadow password

In computing, Unix-like operating systems use the shadow password database mechanism to increase the security level of passwords by preventing ordinary users from accessing encrypted password data.

Unshadowed passwords

On a system without shadowed passwords (typically very old Unix machines), the passwd database holds the following user information:

* Username
* Salt and hashed password
* Password expiration information
* User ID (UID)
* Default group ID (GID)
* Full name
* Home directory path
* Login shell

The passwd file is readable by all users in order to allow name service switch to work (eg, to ensure that user names are shown when the users lists the contents of a folder), but only root can write to it. This means that an attacker with access to the system at normal privilege level can obtain the hashed form of every user's password. These can then be used to mount a brute force attack offline, using the hashed passwords as a relatively fast way to test guessed passwords without alerting system security modules designed to detect an abnormal number of failed login attempts. Most users select passwords that are vulnerable to such password cracking techniques. [cite news
authorlink =
author = Rob Lemos
coauthors =
title = Passwords: the weakest link?
url =
work = CNET
date = 2002-05-22
accessdate = 2008-02-19

Shadowed passwords

Systems administrators can reduce brute force attacks by making the hashed password unreadable by unprivileged users, and the obvious way to do this is to make the passwd database itself readable only by the root user. However, this would also restrict access to other data in the file such as username-to-userid mappings, which would break many functions on the system. Thus the idea of a "shadow" password file was conceived, where the passwd file remains world-readable but users' hashed passwords are moved to a separate database - for local files, usually /etc/shadow on Linux and Unix systems or /etc/master.passwd on BSD systems—which can be read only by root. (Root access to the data is considered acceptable since on systems with the traditional "all-powerful root" security model, the root user would be able to obtain this information by other means.) Virtually all modern Unix-like operating systems use shadowed passwords.

With shadowed passwords in use, the /etc/passwd file shows a character such as '*', or 'x' instead of the hashed password, and /etc/shadow holds the following user information:

* User login name
* salt and hashed password
* Days since epoch of last password change
* Days until change allowed
* Days before change required
* Days warning for expiration
* Days before account inactive
* Days since Epoch when account expires
* Reserved

While the most important information in the shadow file consists of the hashed password, the file usually contains other fields as well, such as the last time the password was changed, when the password will expire, and whether the account is disabled. The format of the shadow file is simple and is basically identical to that of the password file: one line per user, ordered fields on each line, and fields separated by colons. Many systems specify that the order of user lines in the shadow file should be identical to the order of the corresponding users in the password file.

To modify the contents of the shadow file, users generally invoke the passwd program, which in turn is largely depending on PAM. For example, the type of hash used is dictated by the configuration of the module. By default the MD5 hash is used, while the newer module is also capable of stronger hashes such as blowfish.

Note that the shadow password file does not entirely solve the problem of access to hashed passwords, as some network authentication schemes operate by transmitting the encrypted password over the network, making it vulnerable to interception. Alternate copies of system data, such as system backups written to tape or optical media, can also become a means for illicitly obtaining hashed passwords. In addition, the functions used by legitimate password-checking programs need to be written in such a way that malicious programs cannot make large numbers of authentication checks at high rates of speed.


Password shadowing first appeared in UNIX systems with the development of System V Release 3.2 in 1988 and BSD4.3 Reno in 1990. Vendors which had performed ports from earlier UNIX releases did not include the new password shadowing features, leaving users of those systems exposed to password file attacks.

In 1987 the author of the original "Shadow Password Suite", Julie Haugh, experienced a computer break-in and wrote the initial release of the Shadow Suite containing just the login, passwd and su commands. The original release, written for the SCO Xenix operating system, quickly got ported to other platforms. The Shadow Suite was ported to Linux in 1992 one year later from Linux announcement and became a part of many early distributions.

System administrators may also arrange for the storage of passwords in distributed databases such as NIS and LDAP, rather than in plaintext files on each system. In the case of NIS, the shadow password mechanism is often still used on the NIS servers; in other distributed mechanisms the problem of access to the various user authentication components is handled by the security mechanisms of the underlying data repository.

See also

* Key derivation function
* Unix security
* vipw, a utility to edit the password and/or shadow file

External links

* [ authconfig] , a command-line tool for controlling the use of shadow passwords


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать реферат

Look at other dictionaries:

  • Shadow-Passwort — Unter dem Begriff Shadow Password wird eine Methode zum Schutz von Passwörtern verstanden, welche in vielen Unix Systemen noch heute verwendet wird. Das Passwort wird dabei vor dem Zugriff durch unbefugte Benutzer geschützt, um somit das Brechen… …   Deutsch Wikipedia

  • Shadow (disambiguation) — A shadow is a region of darkness where light is blocked.Shadow(s) may also refer to: Psychology*Shadow (psychology), a part of the unconscious mind consisting of repressed weaknessesFilm* Shadow (film), a 1956 film by Polish director Jerzy… …   Wikipedia

  • Password cracking — is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a… …   Wikipedia

  • Autenticación — Autenticación[1] o autentificación[2] es el acto de establecimiento o confirmación de algo (o alguien) como auténtico, es decir que reclama hecho por, o sobre la cosa son verdadero. La autenticación de un objeto puede significar (pensar) la… …   Wikipedia Español

  • Salt (cryptography) — In cryptography, a salt consists of random bits, creating one of the inputs to a one way function. The other input is usually a password or passphrase. The output of the one way function can be stored rather than the password, and still be used… …   Wikipedia

  • File shadowing — There are several different technologies that use the term file shadowing , but the intent of file shadowing within these technologies is to provide an exact copy (or mirror of a set of data). For file shadowing to be effective, the shadow needs… …   Wikipedia

  • User identifier — Un user identifier ou UID permet d identifier un utilisateur sur les Systèmes d exploitation tels que Unix et Linux. Cette technique est utilisée principalement pour les droits d accès à des ressources ou à des domaines et donc pour la sécurité… …   Wikipédia en Français

  • Sal (criptografía) — Saltar a navegación, búsqueda En criptografía, la sal comprende bits aleatorios que son usados como una de las entradas en una función derivadora de claves. La otra entrada es habitualmente una contraseña. La salida de la función derivadora de… …   Wikipedia Español

  • Muddleftpd — is an FTP server, it is promoted as being a secure, lightweight and flexible FTP server . It has been released under the GPL License. It is a small daemon, which helps make it resource efficient. It also has some extra features to help with… …   Wikipedia

  • Groupe (Unix) — Dans les systèmes de type Unix, plusieurs utilisateurs peuvent être catégorisés en groupes. Les permissions sur les fichiers selon la norme POSIX et les Unix conventionnels sont organisés en trois classes : user, group, et others. L… …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”