You should not have to touch
the shadow file!
If you have shadowing enabled, the ordinary passwd
command will update the password-value into the shadow-file, putting a dummy placeholder in the visible file.
And I hope that you have Tripwire and so-forth, so that any sneaky hacker's attempt to diddle with
the file manually, to change a password without the knowledge of system administrators, will be instantly detected. . . .