You should not have to
touch the shadow file!
If you have shadowing enabled, the ordinary
passwd command will update the password-value into the shadow-file, putting a dummy placeholder in the visible file.
And I hope that you have Tripwire and so-forth, so that any sneaky hacker's attempt to
diddle with the file manually, to change a password without the knowledge of system administrators, will be instantly detected. . . .