Linux – Last password Change

Linux – Last password Change

Mark February 7, 2021

To find out when a Linux account’s password was last changed, you can view the shadow file in the terminal as root: –

sudo cat /etc/shadow

This will bring up the accounts and hashed passwords in the terminal, the third value is the date the password was changed.

NAME : $6$.n. : 18611

To work out the date the password was changed you need to find out how many days since the epoch date (‘epoch’ is often used as a synonym for Unix time) January 1, 1970.

So the the above (18611) is Tuesday, December 15, 2020.

There is a calculator here – https://www.epochconverter.com/seconds-days-since-y0

So you can scan down the list and see if there is a different value, this way you don’t need to export any information, but for it to be a real issue you would need to have both the /etc/passwd and /etc/shadow file for offline password cracking.

This article was very useful and worth a look if you would like to understand the /etc/shadow file :-

https://linuxize.com/post/etc-shadow-file/