How password hashing works on Linux

Conceptual image of a password amid hexadecimal code.
Matejmo / Getty Images

You may know that passwords are hashed on Linux systems, and the hashes are stored in the restricted access /etc/shadow file. But did you know that you can also determine the hash method that was used and report the number of days since a password was last changed from this file as well?

To look at a user record in the /etc/shadow file, run a command like this:

$ sudo grep nemo /etc/shadow

You should see a line that looks something like this:


In spite of how long that line is, it's quite easy to parse. The first two fields in the lines of this colon-separated file store:

  • the username (nemo)
  • the password hash (including the hashing method used) in a $id$salt$hashed format

That $6$ portion of this string represents the hashing algorithm used.

  • $1$ means MD5
  • $2a$ means Blowfish
  • $2y$ means Blowfish
  • $5$ means SHA-256
  • $6$ means SHA-512

The major portion of nemo's /etc/shadow file entry represents the password hash. The following numeric fields (18698:7:90:7:::) represent:

  • the date of the last password change in a "days since the epoch" format (18698)
  • the minimum required days between password changes (7)
  • the maximum allowed days between password changes (90)
  • the number of days in advance to display password expiration message (7)
  • the number of days after password expiration to disable the account (not set above)
  • the account expiration date (not set above)
  • a reserve field (not set above)

To find today's date in the "days since the epoch" form, you can run a command like that shown in the alias below that divides the "seconds since the beginning of the Unix epoch" by 86,400 (the number of seconds in a day).

$ alias epoch_date="echo $(( $(date +%s) / 86400 ))"
$ epoch_date 18855

You can then take that first field shown in the numeric fields (18698) of the /etc/shadow file and determine how many days ago the password was changed. In this example, it was 157 days ago.

$ expr 18855 - 18698

You can also determine the date the password was last changed by using the chage command that grabs the data from the /etc/shadow file and reports that date along with other password stats.

$ sudo chage -l nemo
Last password change                                    : Mar 12, 2021
Password expires                                        : Mar 12, 2022
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 7
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7


The /etc/shadow file stores a lot of important settings for passwords on Linux systems, including the algorithm used to create the password hashes and the password last set and expiration dates.


Copyright © 2021 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022