Shadow Passwords

Shadow Passwords

You’ve probably all seen the shadow password option during your Linux system setup. What is this mysterious feature, a throwback to 1940s radio? “Who knows what evil lurks in the hearts of men? The Shadow knows.” Not quite. Shadow passwords are an additional security layer in Linux intended to protect your system from those The Shadow knows - folks with evil in their hearts.

First, you should understand that passwords in Linux are stored in the /etc/passwd file. Under normal circumstances, these passwords are encrypted to prevent being cracked. But, as the sophistication level of password cracking programs increases, so does the necessity to add additional security to this vital element of your Linux system. Brute force and more sophisticated cracking programs exist today that compare even the encrypted passwords in /etc/passwd to huge dictionaries of potential alphanumeric strings, looking for the perfect match. Once that match is found, closing up holes in your system can be quite a lot like closing the proverbial barn door after the cow’s gotten out. Shadow passwords, on the other hand, take password encryption to yet another level.

Shadow passwords fundamentally perform two actions. First, the encrypted password field in /etc/passwd is replaced with either an x or an *, neither of which can occur in a real encrypted password. Shadow passwords also creates a second file named /etc/shadow that holds the actual encrypted passwords. Since this file is readable only by root, it provides security for user passwords at the tightest, most fundamental OS level. Additional fields in /etc/shadow, while similar to the fields in /etc/passwd, contain empty or phony values.

Who knows what evil lurks in the hearts of men? Anyone, really, who’s had their system compromised. If you’re not particularly open to the idea of someone lurking in the heart of your machine, call in The Shadow - shadow passwords, that is.