Passwords, Hashing, and Linux

Encoding, Encryption, and Hashing

Read this :

Then read this: It is significantly more advanced, but is a pretty cool read. Don't rabbit hole too hard, just enough to answer the question: "How does hashing and salting effect password cracking?"


As we said, modern Linux versions don't store passwords in /etc/passwd. Instead, they have been moved to /etc/shadow. So now, guess we just have to cat /etc/shadow instead, right?

If you have been paying attention to this course so far, I bet you guessed that wouldn't work. If you check the permissions, in order to read /etc/passwd, we need root access. So now we try it with superuser privileges and we should see the results.

There should be a bunch of entries, but let's break one down.


Briefly read through the man page for "shadow" and see the breakdown: man shadow

The most notable part of this is the password field, field #2. To break it out, we can see that it is represented by:


Notably, you can't actually read the password! Let's break this field down ever further:

  • $6
    • This represents the hashing mechanism we are using to generate the hash from this password
  • $iU9KjTeD
    • This represents the randomly generated salt used
    • By adding the random salt, we minimize the effectiveness of rainbow table attacks, which makes our passwords much harder to crack.
  • $5myyo4W7zppTOEdVUeP8...
    • This is the resulting hash of taking the user's password and the randomly generated salt

When a user types in a password, the OS takes the input, adds the salt that is saved in /etc/shadow, hashes the string, and then compares the output to the saved hash in /etc/shadow. If the hashes match, access is granted.

Beyond this format, there are a few other characters that can be saved in an /etc/shadow password field. The use of "!" or "*" in this field indicates that the account cannot be logged into using a password, and must instead be logged into using an alternate method, such as an SSH key. This minimizes risk by forcing an attacker to know or have something besides a simple password.

As a note, on modern Linux systems there are a variety of authentication methods which use /etc/shadow in various ways. They are outside of the scope of this course, if you ever find yourself in a job that focuses on Linux auth, blame me for not teaching you more.

Lock or Delete an Account

If you need to lock an account so that it cannot be logged into, but still exists, use this command.

$ sudo usermod -L account_name

It will modify the /etc/shadow file to have an "*" in front of the password field so the account cannot be logged into. Check this using cat.

To delete an account:

$ sudo userdel account_name


  1. What is in /etc/shadow? Describe how hashing, salting, and cracking work from the perspective of a defender.
  2. Break down this entry from /etc/shadow. Describe each field. especially focusing on the password field.
    • dennis:$6$iU9KjTeD$5myyo4W7zppTOEdVUeP8/E6Kmjl7CtYYFqIIyes.fnNHy1fR0gJLb0q2KLhjAH6KrPpHZ0eJorBh.D74mq.vQ.:17952:0:99999:7:::
  3. Create an account, set the password, check the password in /etc/shadow. Then lock the account using usermod, check the password again. Now, unlock the account, you will have to Google or use man pages for this. Check /etc/shadow again. Briefly write up what you saw and any problems you had doing this.

Answer in the appropriate format.