From: Fastjack@yabbs
To: HCELINE@yabbs
Subject: re: Shadowd PW files:
Date: Mon Jan 17 07:05:21 1994
Hello Hagbard...
Here's a little bit of info about Shadowed password files.  I am most 
familiar with the SunOS implementation, but I have examined (ie tried to 
hack) others on Ultrix and SVR4.  In a non-shadowed passwd file, the 
passwords are the encrypted strings in the second entry of each line:

mylogin:Rh62jpr4:0:something:something.etc:you-get-the-idea:more:csh

or thereabouts.  As has been pointed out, it is generally 
impossible/impractacle to decrypt the encrypted strings, but programs to 
encipher dictionary entries and then compare them to the encrypted strings 
can get 10-30% of the passwords (this is highly variable; depends on the 
difficulty of the passwords and also the time you spend cracking-- it 
isn't practical to spend an extra 12 hours to get an extra handful).  
Everyone has read access to the /etc/passwd file; you can see the obvious 
security hole here.  The shadowed password file is an additional file 
containign the real passwords that can't be read...the original passwd 
file has something else substituted in the place of the encrypted 
password.

mylogin:##mylogin:1234:something:somethingelse.......

on SunOS, where the real encrypted string would be hidden in 

mylogin:*:1234:somemorestuffthatsactuallyimportantifyoulook:.....

AT&T SVR4 has the passwords in /etc/shadow; hence 'shadowed passwords'.

Figuring out how to read the file is the real trick....

        Yes, I know that mylogin is root in the first example...
                                                      Fastjack