Credit: Matejmo / Getty Images You may know that passwords are hashed on Linux systems, and the hashes are stored in the restricted access /etc/shadow file. But did you know that you can also determine the hash method that was used and report the number of days since a password was last changed from this file as well? To look at a user record in the /etc/shadow file, run a command like this: $ sudo grep nemo /etc/shadow You should see a line that looks something like this: nemo:$6$FVYIIgcEcObSsUcf$FsSBlV9soVt.Owbd4xnvhlZzjx73ZBQQBT0WM yah6qcdnH91tBf9C4EaYbRtr7jKGETP/TwBNjyrDFqhvK0NV1:18698:7:90:7 ::: In spite of how long that line is, it’s quite easy to parse. The first two fields in the lines of this colon-separated file store: the username (nemo) the password hash (including the hashing method used) in a $id$salt$hashed format That $6$ portion of this string represents the hashing algorithm used. $1$ means MD5 $2a$ means Blowfish $2y$ means Blowfish $5$ means SHA-256 $6$ means SHA-512 The major portion of nemo’s /etc/shadow file entry represents the password hash. The following numeric fields (18698:7:90:7:::) represent: the date of the last password change in a “days since the epoch” format (18698) the minimum required days between password changes (7) the maximum allowed days between password changes (90) the number of days in advance to display password expiration message (7) the number of days after password expiration to disable the account (not set above) the account expiration date (not set above) a reserve field (not set above) To find today’s date in the “days since the epoch” form, you can run a command like that shown in the alias below that divides the “seconds since the beginning of the Unix epoch” by 86,400 (the number of seconds in a day). $ alias epoch_date="echo $(( $(date +%s) / 86400 ))" $ epoch_date 18855 You can then take that first field shown in the numeric fields (18698) of the /etc/shadow file and determine how many days ago the password was changed. In this example, it was 157 days ago. $ expr 18855 - 18698 157 You can also determine the date the password was last changed by using the chage command that grabs the data from the /etc/shadow file and reports that date along with other password stats. $ sudo chage -l nemo Last password change : Mar 12, 2021 Password expires : Mar 12, 2022 Password inactive : never Account expires : never Minimum number of days between password change : 7 Maximum number of days between password change : 90 Number of days of warning before password expires : 7 Wrap-Up The /etc/shadow file stores a lot of important settings for passwords on Linux systems, including the algorithm used to create the password hashes and the password last set and expiration dates. Related content how-to How to find files on Linux There are many options you can use to find files on Linux, including searching by file name (or partial name), age, owner, group, size, type and inode number. By Sandra Henry Stocker Jun 24, 2024 8 mins Linux opinion Linux in your car: Red Hat’s milestone collaboration with exida With contributions from Red Hat and critical collaborators, the safety and security of automotive vehicles has reached a new level of reliability. By Sandra Henry Stocker Jun 17, 2024 5 mins Linux how-to How to print from the Linux command line: double-sided, landscape and more There's a lot more to printing from the Linux command line than the lp command. Check out some of the many available options. By Sandra Henry Stocker Jun 11, 2024 6 mins Linux how-to Converting between uppercase and lowercase on the Linux command line Converting text between uppercase and lowercase can be very tedious, especially when you want to avoid inadvertent misspellings. Fortunately, Linux provides a handful of commands that can make the job very easy. By Sandra Henry Stocker Jun 07, 2024 5 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe