To find out when a Linux account’s password was last changed, you can view the shadow file in the terminal as root: –
sudo cat /etc/shadow
This will bring up the accounts and hashed passwords in the terminal, the third value is the date the password was changed.
NAME : $6$.n. : 18611
To work out the date the password was changed you need to find out how many days since the epoch date (‘epoch’ is often used as a synonym for Unix time) January 1, 1970.
So the the above (18611) is Tuesday, December 15, 2020.
There is a calculator here – https://www.epochconverter.com/seconds-days-since-y0
So you can scan down the list and see if there is a different value, this way you don’t need to export any information, but for it to be a real issue you would need to have both the /etc/passwd and /etc/shadow file for offline password cracking.
This article was very useful and worth a look if you would like to understand the /etc/shadow file :-