Why do some usernames on FreeBSD start with an underscore?

There may be more than one case, but the one you point out was discussed in a mailing-list thread ISC DHCP Server port UID/GID question in 2008, where the _dhcp user was known to be a special account (with different privileges from the daemon):

  I noticed that, but I believe that that is a privilege separation 
account that is used with the OpenBSD-version of the dhclient. Also, as 
I pointed out, if this is usable, then why isn't the isc-dhcp-server 
port using it instead of allocating a UID/GID for itself during the install?

Erik

Florent Thoumie wrote:
> On Jan 18, 2008 12:01 PM, Erik Van Benschoten <evanben at valleycomnet.com> wrote:
>> Greetings,
>>
>>   Is there a specific reason that the port of the ISC's DHCP server does
>> not seem to have/use a registered UID/GID?
> 
> Maybe because there's already _dhcp user (uid 65) in base?

Checking my FreeBSD 10 machine, I see another account, this one labeled clearly enough:

_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin

Further reading:

• Privilege Separated OpenSSH

• OpenBSD 3.6 ChangeLog

  • Have dhclient(8) fall back to user nobody if user _dhcp doesn't exist. Helps with upgrades.
    
  • New _dhcp user and group for, funnily enough, the DHCP programs.

• "user/group _pflogd:_pflogd" what's with the _ ? (freebsd-current mailing list, 2004)

• pf not logging on 5.3-BETA3 ? (freebsd-pf mailing list, 2004)

    Okay, have you guys read UPDATING?
    > 20040623:
    >         pf was updated to OpenBSD-stable 3.5 and pflogd(8) is privilege
    >         separated now. It uses the newly created "_pflogd" user/group
    >         combination. If you plan to use pflogd(8) make sure to run
    >         mergemaster -p or install the "_pflogd" user and group manually.