Encrypted passwords on a Linux system are stored in the password file using a certain format. Below is an example.
passwd:$6$wPG/soAxdTJIJZzW$Vrx4IInfPmOydKMGuTDFqnL2YQpnPimFlrkx0PHYBe8zDbYC8dfZ2.KOOJ8PPwO70ofr2FdpZgV2Co7Ai2.Eh0 quota:262144000 homedir:/home/medusoft/mail/medusoft.com.au/david.kovacs strength:92 lastchanged:15967 |
This is how the password is encoded. The $6 means it is using SHA512 encryption.
$6$wPG/soAxdTJIJZzW$Vrx4IInfPmOydKMGuTDFqnL2YQpnPimFlrkx0PHYBe8zDbYC8dfZ2.KOOJ8PPwO70ofr2FdpZgV2Co7Ai2.Eh0 |
Then this section is the salt of the password.
$wPG/soAxdTJIJZzW |
And this is the actual encrypted password.
$Vrx4IInfPmOydKMGuTDFqnL2YQpnPimFlrkx0PHYBe8zDbYC8dfZ2.KOOJ8PPwO70ofr2FdpZgV2Co7Ai2.Eh0 |
This is how user accounts are specified in the /etc/passwd file.
zkovacs:x:875:876::/home/medusoft/mail/medusoft.com.au/zkovacs:/home/medusoft marianna.fazekas:x:875:876::/home/medusoft/mail/medusoft.com.au/marianna.fazekas:/home/medusoft gd:x:875:876::/home/medusoft/mail/medusoft.com.au/gd:/home/medusoft spam:x:875:876::/home/medusoft/mail/medusoft.com.au/spam:/home/medusoft david.kovacs:x:875:876::/home/medusoft/mail/medusoft.com.au/david.kovacs:/home/medusoft viktoria.kovacs:x:875:876::/home/medusoft/mail/medusoft.com.au/viktoria.kovacs:/home/medusoft |
User accounts in the /etc/passwd
file is specified using a colon (‘:’) separated format. Each line represents a single user account with the following information:
Field | Description |
---|---|
Username | The login name used for authentication. |
Encrypted Password | Stores the user’s password in an encrypted format (often with bcrypt). For security reasons, the actual password isn’t stored. If shadow passwords are enabled (which is common), this field will instead contain an ‘x’ marking the use of the separate /etc/shadow file for password storage. |
User ID (UID) | A numeric identifier also represents the primary group the user belongs to. Users can belong to multiple groups but the GID represents the primary one. |
Group ID (GID) | The absolute path to the user’s home directory where their files are stored. |
GECOS (Full Name) | This field can contain various user information, traditionally the user’s full name. However, the format isn’t strictly enforced and some systems might use it for additional details. |
Home Directory | The default shell program is executed when the user logs in. Common examples include bash, sh, or zsh. Some system accounts might have /bin/false or /sbin/nologin indicating they are not intended for interactive logins. |
Login Shell | The default shell program executed when the user logs in. Common examples include bash, sh, or zsh. Some system accounts might have /bin/false or /sbin/nologin indicating they are not intended for interactive logins. |
Here is another example. This is the /etc/shadow file, which contains the actual passwords for the users.
user1:$6$rounds=65536$GrEwAW2vITiK2r6V$3Y0panmWUtECb0YryrV/G4esOBsnwI2Xdcpzcf1AZuA6lDvwQrnbrEq7ebi.M5FGeMNEMznefyvHwc95EwhQS0:0:0:90:7::: user2:$6$rounds=65536$Gh0iGO4CRaKNRSs0$kV3QJf0YZdubeq0oSBE3tnX4hvv5CFi4o9jtq71AksWoqTy.b.nstLCkFrfNkXoFrOKVjfbJPRoPCkFEQh7cI/:0:0:90:7::: user3:$6$rounds=65536$1cqU68jlYRfD5bkJ$GjQLCnyN9CTGXtScphb56jJtrlCQl06zjp9C2sfGmqZEsNoDZSC6DfFTxM5BOSL.5QUhEPcnLP1O1P4Wq6x1z/:19555:0:90:7::: qemu:!!:19557:::::: saslauth:!!:19557:::::: rpc:!!:19557:0:90:7::: rpcuser:!!:19557:::::: unbound:!!:19557:::::: apache:!!:19563:::::: nginx:!!:19563:::::: mysql:!!:19564:::::: toranon:!!:19569:::::: clamupdate:!!:19687:::::: mdatp:!!:19687:::::: johann:$6$rounds=65536$KKJlO3vWN.Gx/MKF$M3.oWNOTjtxPuusCu2.8C7UWaQRLxfhvi/yTXpWuby8MEBOOCy012jsN3bopSWYLuE/XV2FWDwLdSiAqi/j091:19753:0:90:7::: |
The $rounds=65536 option in the salt value means that an attacker must calculate 65536 hashes every time they wish to attempt cracking a password.
But when you log in to your system and it checks your password, this is very fast.