I've just spotted that on one of my old wheezy servers root entry in
/etc/shadow was updated just over 3 weeks ago.
The root password is still the same and the lastchanged count is much
higher than 3 weeks.
The difference I've noticed is the hashed password string being much longer.
It's now prefixed with $6$ (SHA-512 algorithm) comparing with $1$ (MD5)
before the change.
My first suspect was a security patch but the system was not updated
around that time.
Has anybody seen this before and could explain?