[hiAndrewQuinn]

To anyone reading this and thinking "yeah dummy, of course it doesn't scale because you're not supposed to store passwords in plain text in the first place" I'll direct you to Chapter 7ish of The Linux Programming Interface.

If you look in your /etc/passwd right now, you'll almost certainly see a single "x" where the (EDIT: no, it was still encrypted!) password originally was - nowadays that single "x" is an instruction to go look in /etc/shadow instead, for the salted hash of the password you're trying to check.

I think this minimizes the number of users who need read permissions to /etc/shadow, and the amount of time they need it for.

This has been your seemingly useless bit of Linux trivia for today. :)

[vajrabum]

/etc/shadow was born not because /etc/passwd had a plain text password but because the hashes became crackable and /etc/passwd is a public read file. Linux has never had them. Here's the man page indicating encrypted passwords for Unix v7 /etc/passwd release in 1979: https://man.cat-v.org/unix_7th/5/passwd

[hiAndrewQuinn]

Whoops! My bad, this is an even better bit of trivia.

My mistaken memory really sells the underlying point that everything old is new again.

[hinkley]

I have a vague recollection of my 20 floppy of Slackware already having /etc/shadow. That would have been fall of 92 or winter 93, based on where I was living at the time.

[mmcgaha]

I have a vague recollection of being given the choice on a 90s vintage distribution with some warning about security and password length if I did not use shadow passwords. At some point in the early 2000s we started authenticating regular users against AD but the shadow file was still there for root.

[hinkley]

We had a couple of labs of sparcstations that just went away a couple of times a year because something bad would happen with all of the NFS mounted partitions and they'd have to turn the cluster on one box at a time to prevent thundering herd issues with NFS.

I think they may have been mounting parts of /etc as well. People get the idea that managing accounts for a cluster of boxes should be centralized. It's all fun and games until the network mount disappears.

[fuzztester]

Shadow file was definitely from quite a while ago.

Can't remember exact date, but might have been around time of SVR4 intro.

I know because I remember going "ugh", but without investigating the reason why it (shadow) was introduced :) - which was of course wrong on my part.

[chasil]

That was not a "plaintext password," it was a DES hash (from 7th edition onwards).

This is the same format used by the classic htpasswd utility.

https://en.wikipedia.org/wiki/Crypt_(C)#Traditional_DES-base...

[dsr_]

plaintext vs plain text

unencrypted vs unstructured

Of course, unstructured is also incorrect; the passwd and shadow files have structured records, one per line.

[thwarted]

…and being structured, the passwd file content should be accessed with the getpwent family of functions.

[bhawks]

Which unfortunately are not thread safe.

[neuromanser]

"unencrypted" is normally written as "cleartext". "plaintext" means "(readable / intended to be read) without a special viewer". Your.ssh /id_rsa is plaintext but not cleartext.