Why do some people think linux machine accounts with passwords are more secure than accounts without passwords?

It really depends on what you call password less accounts. An account with an empty password in the password database (normally /etc/shadow) is highly unsecure because anybody could use it. On the other hand, an impossible to match password like * in same database prevents anybody to log with this account because no password could ever give such a hash. In the latter case, adding a password is just useless and actually lowers the account security because it could be brute forced.


Your understanding is correct.

In my view there is no security benefit to not having a password when you have the option to have a password. Having a layer of authentication for a user is almost always going to be more secure than not having it. Even if /etc/shadow is exposed an attacker will still need to discover and retrieve/brute force the password from it.

There may be situations where you do want an account to not have a password, perhaps some service account or something, but this has nothing to do with making the account more secure and everything to do with practicality, convenience and/or functionality.

UPDATE: Just to add that adding a password when there isn’t one already as described by Serge Ballesta is of course going to introduce something that can be attacked.

enter image description here


The only time I've seen this confusion come up is in a large organization where InfoSec mandated the use of particular security hardening tools. The tools would sometimes have specific requirements on password strength and rotation, or they have requirements to have password authentication on sudo.

This leads to the awkward discussion of "no password" and the endless confusion from management. To be clear, I try to say "password authentication is not possible".

Rather than obtaining a security exemption from password requirements, or explaining it to an auditor, it becomes necessary to enable password authentication and create passwords.

This is generally less secure, introduces issues around lockouts and expiration affecting the more secure methods of access.

If you check your company's InfoSec policies and the standards they need to comply with, it might explain the policy.