US Trends

where is user password stored in linux

User passwords in Linux are stored as hashed values in the /etc/shadow file, while basic account info lives in /etc/passwd.

Where is user password stored in Linux? (Quick Scoop)

In modern Linux systems, your actual password is never stored in plain text. Instead, a hash of your password (plus a salt) is stored in a special, more protected file.

Core idea in one line

  • User account details: /etc/passwd (world-readable).
  • User password hashes: /etc/shadow (root-only).

Mini story: from old Unix to now

Once upon a Unix time, encrypted passwords were kept directly in `/etc/passwd`, alongside usernames and other info. This file is readable by all users, which made password hashes easier to attack with offline cracking.

To fix that, systems moved the password hashes into /etc/shadow, a file readable only by root, leaving /etc/passwd as a public user database without real password data.

What’s inside /etc/passwd vs /etc/shadow

Below is a simple view of what each file stores. [3][7] [9][3][5]
File Access What it stores Example content
/etc/passwd Readable by all users. Username, UID, GID, home directory, shell, and a placeholder in place of the password.[7] alice:x:1000:1000:Alice User:/home/alice:/bin/bash (the x points to /etc/shadow).[5][7]
/etc/shadow Readable only by root (or shadow group). Username, salted & hashed password, password aging and expiry info.[2][6][9] alice:$6$KdKtA7Po$Ef3R0QTX5d...:18569:0:99999:7::: (hash, salt, and policy data).[4][6]

How the password is actually stored

  • Linux stores a hash of your password, not the password itself.
  • The hash uses a salt and an algorithm identifier (e.g. MD5-crypt, SHA-256-crypt, SHA-512-crypt, bcrypt, depending on system configuration).
  • A typical /etc/shadow entry includes:
    • Username
    • Hashed password (with algorithm and salt)
    • Last password change date
    • Min/max age, warning period, and other policy fields.

Example pattern of the password field in /etc/shadow:

$id$salt$hashed_password where id encodes which hashing method is used (e.g. $1$ for MD5, $6$ for SHA-512 on many systems).

Other places passwords might live

On some setups, especially in enterprise environments, the system may not keep passwords only locally:
  • Central authentication via LDAP or similar directories: password hashes can be stored in the directory server rather than only in /etc/shadow.
  • Network authentication (e.g. Kerberos-based setups) further changes where and how credentials are verified, but local /etc/shadow is still common for local accounts.

Why this matters for security

  • Keeping hashes in /etc/shadow drastically reduces exposure because only root can read that file.
  • Even if an attacker gets the file, they still have to crack salted, hashed passwords offline, which is significantly harder than reading plain text.
  • Good password policies (length, complexity, aging) plus strong hashing algorithms (like SHA-512-crypt or bcrypt) are key to strengthening Linux login security.

TL;DR: On Linux, user passwords are stored as salted hashes in /etc/shadow, while /etc/passwd only keeps public account info and a reference to that shadow entry.

Information gathered from public forums or data available on the internet and portrayed here.