Physical access isn’t game over, it’s only game over to a determined hacker. The vast majority of people aren’t competent enough for it to be an issue. It’s just like how a determined thief can get through almost any lock or door, but it takes effort and time, and skill which many casuals just won’t have.

Full-disk encryption passwords are the most important password, they can prevent physical access from being game-over.

Unix was originally designed to be multi-user, so different passwords protect different users from each other.

Linux doesn’t have a UAC-without-passwords equivalent really, programs can interact with the Linux UAC equivalents just as much as you can, so the password makes sure it’s really you, and not a malicious program or person. UAC on Linux would require an almost fundamental architecture change, in a way contrary to most of how Linux is used now.

Did you really never use a password with Windows? That seems wild to me.

It’s there to protect you from crimes of opportunity. Like if your car is locked, a thief could decide to pick the lock, smash the windows in, or find another victim, but they would have no second thoughts if your car were already unlocked. The password deters a casual hacker and buys you some time to notice and deal with anyone seriously trying to break in.

In an ideal case of disk encryption and a well-designed lock screen, the password forces a would-be intruder to either spend lots of time guessing it or shut down the computer, thereby discarding the encryption key from memory and thwarting the attack.

Relevant xkcd: https://xkcd.com/1200/

I always just run anything that asks for it with sudo, and I probably shouldn’t. I wish my software installations (on any device) came with a set of required or requested permissions (with the option to say no). I want to know what I’m letting my software installs do.

Any OS with no password is insecure. Hands down.

Linux/Unix has a permissions structure that works at the filesystem level, to be really brief about it.

Files are owned by users. Users can be part of groups to represent a larger number of users for simple organization.

Regular users can only touch files they own, or are owned by a group they are in. Root has master permissions to anything.

As a regular user, your home directory is owned by you. Anything you create is owned by you. All programs executed by you require that you have permissions to those things. Therefore if you’re just bouncing on the system and doing things, you can only harm the files that you own.

Your account having a password prevents access to this account. Though it’s a regular user, anyone with that password can harm your files.

The Root password allows anyone to execute or delete any files on the system. Anyone with this password can get to any file on the system, so you never let anyone know this password.

Your assumption that SSH somehow has different passwords is incorrect. You make a user on a machine and you don’t prevent SSH access…then they can SSH in, but they’re still a regular user.

I don’t use Windows often, so I might be missing some context - every Windows computer I’ve used has an account with a password that I need to type in sometimes, though admittedly not for every privileged operation. They prevent most people with physical access from doing anything, in the same way that the locks on your doors or windows do. Opportunistic actors are prevented from access.

Most Linux distros probably tend to prompt you to actually type in your password more often, but:

• SSH: if you aren’t connecting to your computer via SSH you have no reason to be running an SSH Server. In most cases, you should be using a key pair for auth, and the password for the key (if set) is what you’re typing in. This provides a layer of security beyond what a password-less key pair offers because physical access to your private key no longer grants access to the remote system without the password.
• Encrypted drives: similarly adds a layer on top of physical access necessary to decrypt the data
• Keyrings: password re-use is a bad thing, and re-using your login password for what amounts to a password manager is also not great practice, though admittedly relatively common

This may or may not help, but here’s my two cents:

Windows was originally built to be as user-friendly as possible because its target audience are non-tech-savvy people. It then evolved into being a business OS. So security was never its first priority.

UNIX was built for tech savvy people to do business-sensitive stuff, and required sophisticated security models. Linux was modeled after UNIX (Minix specifically), and thus inherited those same principles. It evolved to become more user friendly. But security remained a priority.

Now, that said, both Windows and Linux are configurable. You can make Windows more secure with effort, just like you can make Linux less secure with effort (and I don’t mean simply using root all the time).

There are diehards on both sides , and they will make excellent (or terrible) arguments for their favored OS. So you need to decide what works best for you and your use case and go with that. 😊

I don’t believe there is any particular advantage of linux insisting on password input for privilege escalation. Obviously there is no proof of this, but I suspect that the design of this privilege escalation flow in linux is at least partly caused by its popularity as a server OS, for example the UI flow for Windows UAC wouldn’t work if you’re trying to remotely administrate a server through the terminal.

Is Windows + UAC + no password secure?

It should be, in fact I believe that by default if your local admin account doesn’t have a password set, remote logins and run-as is disabled for that account so you might even be able to argue that it is more secure. It’s probably one of the reasons why Windows 11 comes with a recommended option to disable passwords and only authenticate through Windows Hello.