You may know that passwords are hashed on Linux systems, and the hashes are stored in the restricted access /etc/shadow file. But did you know that you can also determine the hash method that was used and report the number of days since a password was last changed from this file as well?
To look at a user record in the /etc/shadow file, run a command like this:
$ sudo grep nemo /etc/shadow
You should see a line that looks something like this:
nemo:$6$FVYIIgcEcObSsUcf$FsSBlV9soVt.Owbd4xnvhlZzjx73ZBQQBT0WM
yah6qcdnH91tBf9C4EaYbRtr7jKGETP/TwBNjyrDFqhvK0NV1:18698:7:90:7
:::
In spite of how long that line is, it's quite easy to parse. The first two fields in the lines of this colon-separated file store:
- the username (nemo)
- the password hash (including the hashing method used) in a $id$salt$hashed format
That $6$ portion of this string represents the hashing algorithm used.
- $1$ means MD5
- $2a$ means Blowfish
- $2y$ means Blowfish
- $5$ means SHA-256
- $6$ means SHA-512
The major portion of nemo's /etc/shadow file entry represents the password hash. The following numeric fields (18698:7:90:7:::) represent:
- the date of the last password change in a "days since the epoch" format (18698)
- the minimum required days between password changes (7)
- the maximum allowed days between password changes (90)
- the number of days in advance to display password expiration message (7)
- the number of days after password expiration to disable the account (not set above)
- the account expiration date (not set above)
- a reserve field (not set above)
To find today's date in the "days since the epoch" form, you can run a command like that shown in the alias below that divides the "seconds since the beginning of the Unix epoch" by 86,400 (the number of seconds in a day).
$ alias epoch_date="echo $(( $(date +%s) / 86400 ))" $ epoch_date 18855
You can then take that first field shown in the numeric fields (18698) of the /etc/shadow file and determine how many days ago the password was changed. In this example, it was 157 days ago.
$ expr 18855 - 18698 157
You can also determine the date the password was last changed by using the chage command that grabs the data from the /etc/shadow file and reports that date along with other password stats.
$ sudo chage -l nemo Last password change : Mar 12, 2021 Password expires : Mar 12, 2022 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 7
Wrap-Up
The /etc/shadow file stores a lot of important settings for passwords on Linux systems, including the algorithm used to create the password hashes and the password last set and expiration dates.