Why do some people think linux machine accounts with passwords are more secure than accounts without passwords?

It really depends on what you call password less accounts. An account with an empty password in the password database (normally /etc/shadow) is highly unsecure because anybody could use it. On the other hand, an impossible to match password like * in same database prevents anybody to log with this account because no password could ever give such a hash. In the latter case, adding a password is just useless and actually lowers the account security because it could be brute forced.


Your understanding is correct.

In my view there is no security benefit to not having a password when you have the option to have a password. Having a layer of authentication for a user is almost always going to be more secure than not having it. Even if /etc/shadow is exposed an attacker will still need to discover and retrieve/brute force the password from it.

There may be situations where you do want an account to not have a password, perhaps some service account or something, but this has nothing to do with making the account more secure and everything to do with practicality, convenience and/or functionality.

UPDATE: Just to add that adding a password when there isn’t one already as described by Serge Ballesta is of course going to introduce something that can be attacked.

enter image description here


The only time I've seen this confusion come up is in a large organization where InfoSec mandated the use of particular security hardening tools. The tools would sometimes have specific requirements on password strength and rotation, or they have requirements to have password authentication on sudo.

This leads to the awkward discussion of "no password" and the endless confusion from management. To be clear, I try to say "password authentication is not possible".

Rather than obtaining a security exemption from password requirements, or explaining it to an auditor, it becomes necessary to enable password authentication and create passwords.

This is generally less secure, introduces issues around lockouts and expiration affecting the more secure methods of access.

If you check your company's InfoSec policies and the standards they need to comply with, it might explain the policy.

Tags:

Linux

Passwords

Related

MacOS Ransomware with EFI Lock How to encypt sensitive data in database of a web app? How to use YubiKey through GnuPG on remote server? PayPal payment reversal; scammer at work? Privacy: can my employer access sensitive information if they pay my mobile subscription? I bought the hardware myself Understanding a TLS 1.3 0-RTT replay attack Should a vulnerability in a service that is present on the device, but not running and not used at all, be mentioned in the vulnerability report? Does the X-Permitted-Cross-Domain-Policies header have any benefit for my website if I'm not using Adobe products? HTTP Digest Authentication: Does the server store plaintext passwords? Someone is trying to access my mail account, what safe actions can I take? Are encrypted Cookies vulnerable to Padding Oracle Attacks Why is Firefox (and only Firefox) reporting that my connection is insecure on multiple sites?

Recent Posts