How password hashing works on Linux

You may know that passwords are hashed on Linux systems, and the hashes are stored in the restricted access /etc/shadow file. But did you know that you can also determine the hash method that was used and report the number of days since a password was last changed from this file as well?

To look at a user record in the /etc/shadow file, run a command like this:

$ sudo grep nemo /etc/shadow

You should see a line that looks something like this:

nemo:$6$FVYIIgcEcObSsUcf$FsSBlV9soVt.Owbd4xnvhlZzjx73ZBQQBT0WM
yah6qcdnH91tBf9C4EaYbRtr7jKGETP/TwBNjyrDFqhvK0NV1:18698:7:90:7
:::

In spite of how long that line is, it’s quite easy to parse. The first two fields in the lines of this colon-separated file store:

• the username (nemo)
• the password hash (including the hashing method used) in a $id$salt$hashed format

That $6$ portion of this string represents the hashing algorithm used.

• $1$ means MD5
• $2a$ means Blowfish
• $2y$ means Blowfish
• $5$ means SHA-256
• $6$ means SHA-512

The major portion of nemo’s /etc/shadow file entry represents the password hash. The following numeric fields (18698:7:90:7:::) represent:

• the date of the last password change in a “days since the epoch” format (18698)
• the minimum required days between password changes (7)
• the maximum allowed days between password changes (90)
• the number of days in advance to display password expiration message (7)
• the number of days after password expiration to disable the account (not set above)
• the account expiration date (not set above)
• a reserve field (not set above)

To find today’s date in the “days since the epoch” form, you can run a command like that shown in the alias below that divides the “seconds since the beginning of the Unix epoch” by 86,400 (the number of seconds in a day).

$ alias epoch_date="echo $(( $(date +%s) / 86400 ))"
$ epoch_date 18855

You can then take that first field shown in the numeric fields (18698) of the /etc/shadow file and determine how many days ago the password was changed. In this example, it was 157 days ago.

$ expr 18855 - 18698
157

You can also determine the date the password was last changed by using the chage command that grabs the data from the /etc/shadow file and reports that date along with other password stats.

$ sudo chage -l nemo
Last password change                                    : Mar 12, 2021
Password expires                                        : Mar 12, 2022
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 7
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

Wrap-Up

The /etc/shadow file stores a lot of important settings for passwords on Linux systems, including the algorithm used to create the password hashes and the password last set and expiration dates.