≡ Menu

Understanding /etc/shadow file

Can you explain /etc/shadow file format used under Linux or UNIX-like system?

The /etc/shadow file stores actual password in encrypted format for user's account with additional properties related to user password i.e. it stores secure user account information. All fields are separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd file Generally, shadow file entry looks as follows (click to enlarge image):

/etc/shadow file fields

(Fig.01: /etc/shadow file fields)

  1. Username : It is your login name.
  2. Password : It is your encrypted password. The password should be minimum 6-8 characters long including special characters/digits and more.
  3. Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
  4. Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
  5. Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
  6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  7. Inactive : The number of days after password expires that account is disabled
  8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

The last 6 fields provides password aging and account lockout features. You need to use the chage command to setup password aging. According to man page of shadow - the password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a "$" character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with "$1$" it means the MD5-based algorithm was used. Please note that a password field which starts with a exclamation mark (!) means that the password is locked. The remaining characters on the line represent the password field before the password was locked.

How do I change the password?

Use the following syntax to change your own password:
$ passwd

How do I change the password for other users?

You must be root to change the password for all other users:
# passwd userNameHere
$ sudo passwd userNameHere

How do I setup password again?

To change user password expiry information use the chage command on Linux. The syntax is (again you must be root to set the password again):

chage username
chage [options] username
chage vivek
chage -l tom

The options are as follows:

  -d, --lastday LAST_DAY        set date of last password change to LAST_DAY
  -E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
  -h, --help                    display this help message and exit
  -I, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --list                    show account aging information
  -m, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -M, --maxdays MAX_DAYS        set maximim number of days before password
                                change to MAX_DAYS
  -R, --root CHROOT_DIR         directory to chroot into
  -W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

How do I verify integrity of password files?

Use the pwck command verifies the integrity of the users and authentication information. It checks that all entries in /etc/passwd and /etc/shadow have the proper format and contain valid data. The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors. The syntax is:

pwck -r /etc/passwd
pwck -r /etc/shadow
pwck [options] /etc/shadow

The options are as follows:

  -h, --help                    display this help message and exit
  -q, --quiet                   report errors only
  -r, --read-only               display errors and warnings
                                but do not change files
  -R, --root CHROOT_DIR         directory to chroot into
  -s, --sort                    sort entries by UID

{ 114 comments… add one }

  • D3vi8ant April 11, 2007, 3:31 pm

    What does a symbol of ! or * indicate when placed before this after the user login name . . . after typing cat /etc/shadow?

  • nixCraft April 11, 2007, 6:16 pm

    ! or * indicate that the user will not be able to use a unix/linux password to log in. In other words user login will be disabled.


    • Cody October 30, 2014, 4:08 pm

      Not entirely correct. Sure, if password is disabled then a normal user could not use that user but root absolutely could and so could anyone with unrestricted access to sudo (so they can use whatever command via sudo). The same goes for shell being set to (for example) /sbin/nologin

      Incidentally, ! means the password is locked. Furthermore, the entry CAN be empty and yes that means that unless the program in question denies it (because it is empty) you can indeed log in without a password.

  • Chandrima May 29, 2007, 3:56 pm

    Nice to get this information here, couldn’t understand it when our teacher taught it in class

  • r0ck80y August 1, 2007, 8:26 am

    If a user changes his password (using passwd command), how is the shadow file updated to include the new passwd? I mean, doesn’t the root/admin only have write permissions to this file?

  • nixCraft August 1, 2007, 12:07 pm

    passwd command has SUID (Saved User ID) enabled. When passwd command executed the effective user id (EUID) that is in force at the time is copied to the saved user id (i.e. root). Using this technique a normal user can update his/her password.

  • anonimus August 14, 2007, 9:29 am

    username:!!: …. or
    username:!!$1$MvGJq5Nq$ersjw/IaU90l.n5sB/FFP1: …

    I tried this on Linux machine and !! appeared after passwd -l username command – locking password.
    After passwd -u username – unlock, !! disappeared again.
    So this means that user cannot log in, so it is blocked, but I am not sure about all those rpm, nscd, nfsnobody and so on users.. they have only :!!: in password field in ect/shadow file. These users cannot log in, but are they entirely blocked?

    • Cody October 30, 2014, 4:47 pm

      They are not entirely blocked and they can be logged in to. They also don’t need to be there (well, some don’t). Example logins that don’t have to be there: halt, shutdown, reboot

      On the other hand, be careful: nobody IS necessary (if not in all cases then certainly some and you’ll want to be careful; even if no file is owned by that user that doesn’t mean it isn’t used and that rule applies to other users too), for example.

      And password locked does not mean you cannot log in to them and same goes for an invalid shell. Just as a caution there. It only means you can’t in a normal way. You can however still log in as (them).

  • Matthew Ford November 14, 2007, 9:15 pm

    The root user can still access accounts with blocked passwords, using su, but only if those accounts have a shell enabled in /etc/passwd (if the shell is /sbin/nologin, even root cannot access the account). I don’t know if there’s a difference between !! and * in the password field of the shadow file, though.

    • Cody October 30, 2014, 4:50 pm

      That is not true and while I certainly cannot say with 100% certainty that I remember in 2007, I am pretty sure I am remembering right: it was never true that you could not use it with an invalid shell.

      # su – user -s /bin/bash
      would log in to user with shell /bin/bash even if the shell is normally something else.

      and: ! = locked password.

  • Julia B. November 15, 2007, 8:54 pm

    Is it possible to have etc/shadow file where all the passwords are encrypted however one password is simply a recognizable word?

  • nixCraft November 15, 2007, 9:11 pm

    one password is simply a recognizable word?

    • Peter April 22, 2014, 5:14 am

      I am currently auditing a client and they have one password that shows up as a word, when all the others are encrypted. They confirmed that it was the correct password.

  • sunil March 3, 2008, 2:11 pm

    can any one make answer more clear how passwd changes the password although /etc/shadow has permissions ‘r——–‘ with root as owner.

    • MaD dOG August 18, 2011, 8:59 pm

      the passwd command executes with root permissions since it is a setuid program. root owned processes can access the shadow file… they essentially are not effected by the file permissions.

  • Hogwu March 13, 2008, 11:58 am

    If there is an account in the etc/shadow file and the account does not have an equivalent in the etc/passwd file? Will the account work for login?

    • dean July 29, 2011, 9:52 pm

      Potentially, it can work. if there is another authentication directory other than “files” (/etc/passwd) specified in nsswitch, it can get the user info from that authentication directory, and the password info from /etc/shadow

      • jborody4378 January 15, 2013, 5:25 pm

        What does it mean then if there is an account in etc/passwd with a shell of /bin/false but no corresponding account listed in etc/shadow?

  • jarod04 April 4, 2008, 9:05 am


    heya mate. the passwd command can only be run by root or as a root (using sudo). The root can access (including read and write) to any file even if he doesnt have the permissions. Thats why as a root, the /etc/shadow can be changed.

    You can call it perks of the job…


  • jake the fake April 23, 2008, 10:21 pm


    passwd command can be run by any user. when root runs it, they dont need to specify an old password to change it.

  • Pradeep July 16, 2008, 5:04 am

    Hey guys,

    Can you please tell me if

    1. \”!!\” means that the password is expired and the user will not be able to login?

    2. \”*\” means that the userid is locked?

    • Cody October 30, 2014, 4:53 pm

      Other way around. ! = locked. See shadow(5) for more information on the fields. And I promise this is the last one about this issue (did not mean to get carried away….).

      And to those who don’t know what shadow(5) means it means section 5 of the man pages. You can check by:
      $ man -s 5 shadow
      $ man 5 shadow
      (the former is for some other systems but still works for Linux man-pages)

  • Sally July 18, 2008, 9:00 am

    the passd command is both SUID and SGID — these stand for Set User ID and Set Group ID. See permissions below;
    % ls -l /usr/bin/passwd
    54 -r-sr-sr-x 1 root sys 27228 Aug 16 2007 /usr/bin/passwd

    Just to clarify the perms —
    * user perms (root) – read, setuid on execute
    * group perms (sys) – read, setgid on execute
    * anyone perms – read and execute

    So, when anyone runs the passwd command, they will effectively be running it as the root user and the sys group.

    Although the permissions of passwd are read (no write), root does have the ability to force write on any file on a UNIX system (locally mounted).

    That is why when you run the passwd command, you effectively become root and the shadow file is updated.

    Hope that helps.

    • Cody October 30, 2014, 5:06 pm

      Actually, it IS saved set-user id. The system call setuid (and seteuid for effective user id equivalent) saves and sets the ids. There’s group equivalents too.

      More specifically, it saves the id and can be restored (depending on permissions). However, when it is +x suid then it means that it will then set user id. So there is a slight subtlety there but yes, that is the idea. If x is replaced with s then it is suid/guid execute.

      I should point out that suid (as you word it: you effectively become root) has always been risky and is the source of many rooted boxes over the years (buffer overflow, …). Hence why if you don’t need users to be able to use a specific command then you can make it not suid (but be careful of course.. it would be naive to think that you can do that – or anything! – blindly). traditionally ping is an example (why ? raw sockets for icmp).

      But yes, this is the idea and that is how it is possible. Mind you, if root opens a file in read only mode of, say, vi, you can save it but not by the normal way (you have to override the read-only). But in the end root has access to write even if it doesn’t. Well okay, if the mount is read-only or the disk is read-only (remember the floppy disk locks ?… nostalgia… is dangerous…) then that is different, but… with exception of finalised cd/dvd, you can get around the others.

  • Marilyn September 10, 2008, 4:49 pm


    I use the passwd -x -1 [username] command to remove the expirations, etc., but that 90 keeps showing up. How the hell do I get rid of that damn number short of vi’ing the shadow file?

  • David November 18, 2008, 5:56 pm

    Does anyone know how to set a madatory minimum length for the root password. I typed in PASSWORD=14 in the ../etc/default/passwd file, but that only ALLOWS a 14 charachter password. It doesn’t require it.


  • nixCraft November 18, 2008, 6:13 pm


    To improve security, you need to use longer password. It can be enforced using Pluggable Authentication Module (PAM).

  • John December 10, 2008, 11:55 am

    “/etc/shadow file stores actual password in encrypted format”

    I don’t think so, I’m pretty sure that /etc/shadow stores a hashed output from the users password, by default using ‘crypt’ in solaris and therefore limited to checking the first 8 chars of a password. You can invoke MD5 or SHA-1 instead, for better password checking. /etc/default/passwd contains the hints…..

    • Jon February 7, 2013, 9:38 pm

      You are right John, these passwords are one-way hashed, not encrypted.

  • Ricardo January 7, 2009, 12:03 am

    Is it possible to add an root entry to the /etc/passwd and /etc/shadow where there is no password, so that we can create a root that doesn’t have a password? thanks for the help

    • Matthew May 10, 2010, 11:24 pm

      edit /etc/shadow and remove the encrypted password.
      vi /a/etc/shadow
      An example from my lab looks like this.
      You will need to remove the section between the first colons. In this case ZW1NcbJpB8Yd6.
      The new line should look like this.

  • ARCHIT JAIN January 10, 2009, 5:50 am

    can one access /etc/shadow file even if one does not have root permissions…

  • shanks January 16, 2009, 4:50 pm

    Hey what is the mode of encryption in this shadow file?

  • waris February 23, 2009, 3:29 pm

    its ok but password means nothing could be done on it……….

  • navin April 8, 2009, 5:32 pm

    hi my linux friends

    i m student of bannerjee sir plz help me about how to convert /etc/shadow file’s passwd into our normal form simply haching

  • divya April 21, 2009, 3:12 pm

    its very easy langauage even fresher can understand explation is given briefly

  • Abhishek May 26, 2009, 11:24 am

    Thanks a lot .. got hell lot of information

  • Dave June 16, 2009, 9:51 pm

    If I insert # comment lines, blank lines, or if I sort the contents differently, will this screw anything up? Will the system clobber comments, blank lines, or sort order? I could get the answer by experiment, but the risk of disaster is too high.

  • Keilaron September 12, 2009, 3:20 pm

    “if the shell is /sbin/nologin, even root cannot access the account”
    False. Both su and sudo let you specify a shell/command, so you (not just root) can bypass what /etc/passwd says. The shell value there is only a default shell! It does NOT entirely prevent someone from logging in (very common myth)! In other words, if you have access to an account with su or sudo, you can log in to it regardless of what the default shell is set to. I do it all the time.
    While it WOULD lock someone out of telnet, SSH2 allows you to specify an alternate shell to bypass /etc/passwd as well (although I’ve not had any success using this feature of SSH, so perhaps I’m misreading or not getting it right).

    • UNIXKIDA May 28, 2014, 11:37 am

      Am I getting something different than Keilaron has said. I guess statement is true.
      “if the shell is /sbin/nologin, even root cannot access the account”

      [root@rhel6 ~]# cat /etc/passwd | grep -i shridhar
      [root@rhel6 ~]# usermod -s /sbin/nologin shridhar
      [root@rhel6 ~]#
      [root@rhel6 ~]# su shridhar
      This account is currently not available.
      [root@rhel6 ~]# su – shridhar
      This account is currently not available.
      [root@rhel6 ~]#

      • UNIXKIDA May 28, 2014, 11:38 am

        [root@rhel6 ~]# cat /etc/passwd | grep -i shridhar
        [root@rhel6 ~]# date
        Wed May 28 17:07:58 IST 2014
        [root@rhel6 ~]#

        • Tony August 21, 2015, 12:46 am

          [root@svr ~]# tail -1 /etc/passwd
          nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
          [root@svr ~]# su nfsnobody -s /bin/bash
          bash-4.2$ whoami

  • ABDUL AWAL December 4, 2009, 1:16 am

    i am a student and i m new in linux ..can anyone please explain me the term dns resolver by taking into account:
    1.how it might be used to resolve the url:breo.beds.ac.uk
    2.how it compares with the hosts file

    • Matthew May 10, 2010, 11:32 pm

      unix looks to /etc/hosts file as first point of name resolution. than /etc/resolv.conf is looked at where DNS server ip addresses are identified. The DNS server retains a database similiar to that of the /etc/hosts file. DNS server database has to be maintained with server names and ip addresses rather than system adminsitrator maintaining hundreds of /etc/hosts files on multiple machines.

    • Michael July 23, 2014, 3:36 pm

      Keep in mind, this is also impacted by the /etc/host.conf file, which states in which order to resolve host names.
      there are 3 ways to resolve:

      Most distros will have bind, hosts as default which says “look in the hosts file first, than try DNS.

      NIS is another resolver, formerly know as “yellow pages”

      These 2 links may help:

  • ABDUL AWAL December 4, 2009, 1:26 am

    can anyone xplain: what happening in the boxes areas shown in the startup script of a linux system:-

    checking for hardware changes [ok]
    bringing up loopback interface:[ok]
    bringing up loopback interface eth0:
    determining ip information for etho… done

    starting snmpd:[failed]
    starting cups[ok]
    starting sshd:[failed]
    starting sendmail:[failed]

  • RASEL December 4, 2009, 11:33 am

    can u explain how the /etc/shadow and /etc/passwd are used in the authentication process.why are two files used instead of one?how can i convert a system to use the /etc/shadow file to store password?

  • RASEL December 4, 2009, 11:36 am

    an example of absolute pathname is shown as /home/student/myprogms while a relative pathname can be shown as ../../documents can anyone discuss the differences between absolute and relative pathname and advantages.

  • Kriss December 30, 2009, 10:55 am


    can anyone tell me what is the hash here?


    i tried to crack it with md5 but it says it’s not a valid hash. I tried different combinations but it’s the same thing.

    Please help.

  • Mario January 3, 2010, 9:31 pm

    Hey Kriss,

    you can’t just crack md5, since md5 is actually a cryptographic hash function and it operates only ONE way: text -> hash!

    You might try the common words md5 database. Type “gdata md5 database” in your favourite search engine.
    If you are (un)lucky this hash will be found in the database, and you will be able to see clear text.

    • realmoonstruck May 6, 2011, 9:17 am

      you can always try john the ripper to crack the hash

  • Srikanth March 2, 2010, 8:13 am

    Could you please tell me how to open it?

  • Keilaron March 11, 2010, 11:56 pm

    Srikanth – With any text editor. However, only root has access to it.

  • manish bagwari March 15, 2010, 11:31 am

    sir mcrypt command is is nice for encryption
    that’s beautiful to use.
    sir how to open shadow file if permission denied?

  • manish bagwari(graphic era university) March 15, 2010, 11:35 am

    sir how to use algorithm for encryption.
    can we make algorithm ?
    in unix how to use mod(%)?

    • pandeeswaran March 4, 2012, 4:12 pm

      Why do you bother to use % operator in calculations. $a % 2 are perfectly valid in bash shell.

  • Mario March 15, 2010, 12:08 pm

    @manish bagwari:
    Shadow file can only be opened by a super user (already mentioned in Keilaron comment). So sudo vi /etc/shadow (and enter password, if your username is added to sudoers), or first become super user with use of the su command (must know root password), and then open the file via vi /etc/shadow.

    Mod (%) in korn shell can be used in following way: mymodulus=$(( 15 % 7 ))
    If you meant something else by “unix”, please let me know.

  • manish bagwari(graphic era university) March 16, 2010, 7:58 am

    sir i have used su command ,after giving passwd it diplayed authentication failure
    sir, what to do?
    And how we can koow the root passwd.

  • Mario March 16, 2010, 9:26 am

    Well, without correct super user password, you can NOT read requested file!
    If you truly are authorised to use the system in super user mode, someone should have provided you with the password; or created rules in sudoers configuration file.

    If you installed the system by your self, and just forgot the password, you will probably have to boot it using rescue CD and then reset super user password. This procedure is well documented on the web.

  • manish bagwari(graphic era university) March 23, 2010, 9:10 am

    how to know the root password in unix sir when i used su command then it display athentication failure (in my own system ) siir what to do?

  • manish bagwari(graphic era university) March 23, 2010, 9:37 am

    sir , how to know root passwd.
    su cmmand replys authentication failure
    what to do?

  • Steve K April 1, 2010, 8:27 pm

    I had a problem with the screensaver under Ubuntu 9.10 not taking my password. I fixed it by changing the permissions of /etc/shadow to:
    -r--r----- 1 root shadow 1807 2010-03-26 00:33 /etc/shadow

  • tatineni April 4, 2010, 5:37 pm

    In the figure the encrypted password is really shot when compared with the password field in my shadow password i cant really understand what is the type of encryption


    can anyone pls help me understand this

    Linux learner

  • tatineni April 4, 2010, 5:42 pm

    From my password field i can identify $6$ which indicates it as a SHA based scheme but when i converted my original password using some online converters i didn’t got the same encrypted password as that of my shadow password

  • bodo April 6, 2010, 7:57 am

    geez man – its called “one way function” for a reason.

  • Keilaron April 11, 2010, 6:19 pm

    Tatineni: There’s some additional modifications that occur to the password before it is placed in the shadow file. I’m not sure what they are, but yes, it seems the hashes created by md5/sha1/ are not inserted as-is into the shadow file. I’m not sure what it is, but it’s not base64 encoding, that much I know.

  • Al b. April 14, 2010, 3:19 pm

    I think a !! just means that acount never had a password since it was first created by the system.

  • manoj August 29, 2010, 8:23 am

    what happen if you remove shadow file et all? would you able to login into?

  • lesca September 23, 2010, 4:29 am

    !! measns user account has not been initialed or has not been locked.
    ! means group password is not available.
    * means login disabled.

    Hope it would be helpful

  • Sanjay November 1, 2010, 2:23 pm

    why /etc/shadow- and /etc/passwd- file ?

    # ls -l /etc/passwd*
    -rw-r–r– 1 root root 2230 2007-08-17 19:20 /etc/passwd
    -rw-r–r– 1 root root 2187 2007-08-17 15:03 /etc/passwd-

    # ls -l /etc/shadow*
    -r——– 1 root root 1420 2010-02-07 03:30 /etc/shadow
    -r——– 1 root root 1358 2007-08-17 15:03 /etc/shadow-

  • Chompi December 2, 2010, 9:49 pm

    “Understanding /etc/shadow file”???

    I still don’t see how the passwd string given to passwd iss converted to the string in the shadow file.

  • Sylvain Lévesque January 10, 2011, 7:54 pm

    man shadow

  • XtreMist January 18, 2011, 1:14 pm

    Well Tell me any good way to by pass the shadow file when it is lock !!! ?

  • Urchin February 3, 2011, 9:40 pm


    It turns out that a “salt” is used to make the hash. This ‘salt’ is a random string which is different every time a password is generated.
    When you look at the hash in your passwd file it has the following scheme:

    *1 is an integer showing the hash type used (1=md5, according to one of the replies 6=SHA)
    *2 is the salt
    *3 is the hashed password (with the used salt)

    according to the link the following command will output the correct hash:
    openssl passwd -1 -salt *2
    (the -1 is for md5, not sure how to use this with other hash types)

    To be clear on hash versus encryption:
    A hash is one way. With hashes it is not unlikely that two different inputs lead to the same hash, therefore it is impossible to retrieve a password from a hash. A good hash algorithm makes it unlikely to find 2 different inputs for the same hash. One could say that on creation of the hash some information needed to reverse the process is removed and can not be recovered.

    With encryption it is two way. You will need some kind of key to decrypt (most likely a hashed password), but this key will always result in one way to the unencrypted state (ie input). In other words all information to decrypt is still available.
    For a root password reset have a look at (you will need physical access to the box):

  • Hasan May 3, 2011, 9:11 am

    The “Last password change” field for some users are 0 or around 6000 days or some are even blank. However, for all the above users, the “Max” field is 28 days.
    Can anyone pls explain how this is possible? Thx

  • gregory June 3, 2011, 7:22 pm

    I’m trying to unshadow my passwd file on mac os x 10.6.7 (MBP if it helps) I can’t seem to locate the shadow file in etc/ can you help me? I’m trying to do this for use with john the ripper to test the passwords on my server, and I am new to john the ripper.

    • vignemail1 August 2, 2011, 8:00 am

      There are no /etc/shadow file on Mac OS X. All passwords are stored by a daemon (DirectoryService if i’m remember correctly) which store passwords in many hashed kinds (MD5, CRYPT-DES, SHA, LM, KRB5, …) for all services who need it. All request for changing password are redirected to this daemon who update all hashes “in-the-fly”. Same thing for authentication

  • Scott June 26, 2011, 4:35 am

    PS: The first dollar sign signifies the hashing algorithm:

    $1 – md5
    $2a – blowfish
    $6 – sha-512

    Most modern linux distros use $6 in /etc/shadow for user accounts

  • jocurds June 26, 2011, 9:34 am

    for etc/shadow file for user accounts with ‘NP’ (no password) also means that the account is disabled? kindly advise.

    • jocurds June 26, 2011, 9:36 am

      by the way this is for solaris 8.

      • Anon November 29, 2011, 7:35 pm

        Not technically disabled, just not able to login. Account passwd has not been set but can be set by root.

  • zimmy August 8, 2011, 6:18 am

    HI all
    can anybody help me

    supose any user passwd expire so hw cn we get inforamation regarding this
    we dont no wt is user name then hw cn we identify that this user’s passwd hass been expired

    mail me pls

    thxx in advance

  • Abhishek August 18, 2011, 4:53 pm

    Hi…can any one tell me…is there any procedure or any scriprt or tool through which i can change the password setting..i mean when i type the password in linux nthng displayed,is there any way to change it with * symbol…so next tym instead of nthyng i will get ******** like this form….thnx in advance…

    • Felix Uy Ventula Jr. December 21, 2011, 8:19 am

      With this instance you need to break the encription layer before we can proceed to the inquiries you like. Then it time we can formulate that kind of scripting code and it depends to the one you like systems.

  • bonnieallen September 29, 2011, 12:22 am

    How do I change my password

    • CallMeBob October 12, 2011, 8:20 pm

      typically you’d just login and type “passwd”, then give your old password and a new password and it would be set for you.

    • Felix Uy Ventula Jr. December 21, 2011, 8:17 am

      just do the reset password command in the unix command line.
      $ User ID= Username
      $ resetpassword

  • Dileepa November 17, 2011, 8:09 am


    Can anybody tell me how to calculate the date the password has been change. I mean how to get the actual password change date.


    according to this log password has been change on 14712- but how do i know which date, which month and which year password changed.

    Thank you

    • Brian November 29, 2011, 4:14 pm

      Dileepa, (November 17, 2011)

      On linux you can use the date command to convert the EPOCH days to the date.
      The time reported back is not valid, since I am using a full day for seconds.

      date -d @`echo 14712*86400|bc`
      Mon Apr 12 20:00:00 EDT 2010

  • jitendra December 29, 2011, 6:27 pm

    what is main file /etc/passwd or /etc/shadow

  • joe January 1, 2012, 10:27 am

    thankx for tell us meaning of last 2 spaces usually blank

  • Purna February 2, 2012, 10:16 am

    Thanks for posting!!!

  • ashish February 7, 2012, 8:38 am

    i am having a real problem.. can i encrypt a given string just in the manner linux does so that i can match that encrypted string with real encrypted password??

  • Shirish March 29, 2012, 1:38 pm

    How I tweak to allow user to login by blank password .. Have done it years back … forget .. Please remind !


  • Mahesh Chadare May 16, 2012, 7:22 am

    Thank u very much .First time i got clear idea about password expiry date ,account disable date and password inactive period

  • Mohammed Sami May 17, 2012, 6:11 am

    Hi All,

    while you are trying to change password for any user logged in with root user. And if you get error saying “Permission Denied”. Then you just need to edit /etc/shadow file and clear the password. If in the password section you find *LK* then you just delete them and re-try changing password. It shouldb be fine.


  • garry July 24, 2012, 10:56 am

    what about 7th and 8th comment ….it is not shown in the format

  • elavarasan August 2, 2012, 4:51 am

    my acer lap linex os not open but i enter correct username and password so,my computer totally dead ,how to solve this problem??????……………please help anybody

  • Kevin October 17, 2012, 7:57 pm

    Hello there,
    I’m trying to understand field 3. Can you explain how 13064 in field 3, ended up with Jan 1, 1970 as its date.

    Thanks in advance,

    • Moe November 1, 2012, 9:08 pm

      13064 days since <—- the epoch (Jan 1, 1970) that the password has changed. Which gives you Oct 8, 2005.

  • John October 18, 2012, 2:48 pm


    It didn’t end up with Jan 1 1970.

    As it says above, this field is the days since Jan 1, 1970 that password was last changed.

    13064 means the 8th of October 2005.

    Link [timeanddate.com]

    I hope this helps.


  • Priya October 26, 2012, 5:29 am


    Can you tell me, Why /etc/shadow file doesn’t have any permissions for owner, group owner and others.

    • Nepto November 17, 2012, 4:02 am

      Because it would be security flaw.

      File /etc/shadow contains password hashes of system users, so it is not desirable that anyone can see that file.

      However usual permissions are with no permissions for others, with read-only permission for shadow group and with read-write permission for superuser (root).

  • ger January 16, 2013, 5:58 am

    I’m running solaris 10.. i messed up the /etc/shadow file using vi now i can’t use root to log on.. is there a way to get into it or am i going to have to reimage the server?


  • rohit July 16, 2013, 7:02 am

    hash code is the second field in that line…

    its the content between 1st and 2nd delimiter ‘:’

    content before the 1st ‘:’ is field 1

    and content after second ‘:’ is field 2

  • basu April 7, 2014, 4:50 am

    how to make password change mandatory for every time a user logs in in linux .using command .

  • Rick Carrick April 15, 2014, 5:30 pm

    basu said on April 7, 2014:
    how to make password change mandatory for every time a user logs in in linux .using command .

    There isn’t a command to do that every time that user logs in, and if there were one, it would probably cause that user a denial of access. But, to force the user to change their password on the NEXT time they log in, use the command:

    “passwd -f ” (as root)

    That will force them to change their password the next time they log in ONLY, but not every time. A system Admin will typically use that command when changing a users password, perhaps tell the user the password in a voice mail then let them know that as soon as they log in they will be forced to change the password.

    • Cody December 31, 2014, 3:36 pm

      One could further that, though, automatically (and or use other ways aside commands). But I call it a bad move: it will only give them more reason to use weak passwords. It is worse than password aging in that regard (the latter of which goes too far, especially as number of logins increases (of course, foolishly re-using passwords is another issue entirely)). Better would be to use login key + password or otherwise multifactor authentication.

  • AD October 31, 2014, 10:41 am

    bash-4.1# adduser -s /sbin/nologin graphene

    bash-4.1# cat /etc/shadow


    The above line suggests password has yet not been set for the user graphene whose login is disabled

    Adding a password for user graphene in the line below
    bash-4.1# passwd graphene

    Retype new password:
    passwd: all authentication tokens updated successfully.

    Now checking the shadow file
    bash-4.1# cat /etc/shadow


    bash-4.1# whoami

    Now trying to login as graphene

    bash-4.1# login
    login: graphene
    This account is currently not available.

    Even the root user doesn’t seem to login into the account which has been marked “NoLogin”

    • Cody November 1, 2014, 12:11 pm

      You’re under the assumption (and/or you’re not thinking of other possibilities) that the only way to log in is via the console.

      But you’re wrong.

      su allows you to specify shell which means that you can change the shell. Same with sudo.

      $ su – someuser -s /bin/bash

      will allow you to log in as someuser even if someuser has the shell of /sbin/nologin

      Therefore no, it isn’t disabled in full.

      • Cody November 1, 2014, 12:16 pm


        Define “login” – you might argue that logging in means directly as in you cannot be authenticated at all before it. But su essentially lets you log in as another user even if it is indirectly logging in. Indeed, try ‘su – someuser’ versus ‘su someuser’ and there are differences. Login shells, interactive shells… Also, if you check the man page of login you’ll see how your way isn’t correct, anyway:

        “A recursive login, as used to be possible in the good old days, no longer works; for most purposes su(1) is a satisfactory substitute. Indeed, for security reasons, login does a vhangup() system call to remove any possible listening processes on the tty. This is to avoid password sniffing. If one uses the command login, then the surrounding shell gets killed by vhangup() because it’s no longer the true owner of the tty. This can be avoided by using exec login in a top-level shell or xterm.”
        But still, the fact remains you can use su and specify the shell which therefore overrides the so-called disabled account.

  • Voyager December 30, 2014, 1:18 am

    Actually, I think what is stored in the password field inside the shadow file is only a hash of the original password, not the password itself. The password field is usually divided into three parts, each part separated by an dollar sign. The first part signifies the algorithm used, ie: a value of 1 would indicate MD5 was used. The second part is the salt, if any, used when generating the hash. The last field is the password hash itself.

    • Cody December 31, 2014, 3:31 pm

      More important, is it isn’t world readable. And more to the point, when you disable shadowing (i.e running as root ‘pwunconv’ …) then password IS readable and it also has the encrypted password. As for shadow, it does hold the encrypted password but the structure of it (that you describe) is correct only in some cases (you do use ‘usually’ but… will elaborate).

      Salt is part of it – Linux uses the crypt library call for passwords and it involves a salt – no ifs. That’s how it has been as long as I remember (long before shadow the norm (or maybe there.. don’t remember) (okay, to be fair, I’ve only used Linux since the early 2000s; I used SunOS/Solaris and various BSDs, prior to that) and I would imagine it has always been this way.

      As for the form of the password: It only has: $id$ if it isn’t 3DES (like the old systems defaulted to). $id$ specifies the algorithm to use. The salt and the hash are there regardless. There’s one other case where crypt(3) might fail: it isn’t implemented (e.g. export restrictions).

      In addition, to Vivek, you’re wrong: the password field does NOT have to be filled. It is just that some programs might deny access if a user tries to use an account (use = authenticate as) with no password. But it is technically allowed. Secondly, the string is 13 characters (first 2 is salt) for 3DES, and it is 22 for MD5. But those two aren’t the only algorithms. Thirdly, \ is not part of the hash.

  • Badshah Khan January 17, 2015, 10:51 am

    Best explanation for new gyus.

    Simply Superb!
    Keep posting such a good articles.

    Thanks & Regards
    Badshah Khan

Leave a Comment

   Tagged with: , , , , , , , , , , , , , , , , , ,