The UNIX family of operating system (Unices) historically stored passwords in /etc/passwd, which was readable (but passwords were soon hashed, i.e. passed through a one-way function to obfuscate them).
Eventually, shadow passwords were introduced to have the passwords themselves stored in another place with stricter access rights (readable only by the sysadmin or their group), so even the hashed versions were inaccessible to normal souls, whereas other information traditionally kept in /etc/passwd - e.g. the user's full name - could and can still be retrieved from that file by making it widely readable - just without the passwords, which were moved to the "shadows".
Debian even back then did protect the passwd files appropriately out of the box, but in this server's case, they did an import from an older system where it wasn't protected, and they couldn't figure out how/bothered to convert it to shadow.
I always thought the shadow was just a way to refer to a hash -- the shadow of a thing being less detailed/unique but still capable of being used for recognition.
Maybe I read Plato around the same time as I heard of it and that biased my thinking.
> Could you please explain what this means? Googling didn't reveal much.
An classic UNIX /etc/passwd file is readable by all local users and in the past used to contain the password hashes. One can download these hashes and crack the passwords offline. At some point the problem was recognized and password hashes were moved to special /etc/shadow file which is accessible only to root and members of shadow group making /etc/passwd useless for extracting passwords.
Eventually, shadow passwords were introduced to have the passwords themselves stored in another place with stricter access rights (readable only by the sysadmin or their group), so even the hashed versions were inaccessible to normal souls, whereas other information traditionally kept in /etc/passwd - e.g. the user's full name - could and can still be retrieved from that file by making it widely readable - just without the passwords, which were moved to the "shadows".
See also https://en.wikipedia.org/wiki/Passwd, section "Shadow file" for more details.