I think part of what you’re missing may be a set of very old assumptions about where the danger is coming from.

Linux was modeled after UNIX, and much of its core software was ported from other UNIX versions, or at least written in imitation of their utilities. UNIX was designed to be installed on large pre-Internet multi-user mainframe+dumb terminal systems in industry or post-secondary education. So there’s an underlying assumption that a system is likely to have multiple human users, most of whom are not involved in maintaining the system, some of whom may be hostile to each other or to the owner of the system (think student pranks or disgruntled employees), and they all log in at once. Under those circumstances, users need to be protected from each other, and the system needs to be protected from malicious users. That’s where the system of user and root passwords is coming from: it’s trying to deal with an internal threat model, although separating some software into its own accounts also allows the system to be deployed against external threats. Over the years, other things have been layered on top of the base model, but if you scratch the paint off, you’ll find it there underneath.

Windows, on the other hand, was built for PCs, and more or less assumes that only one user can be logged in to a machine at a time. Windows security is concerned almost entirely with external threats: viruses and other malware, remote access, etc. User-versus-user situations are a very minor concern. It’s also a much more recent creation—Windows had essentially no security until the Internet had become well-established and Microsoft’s poor early choices about macros and scripts came back to bite them on the buttocks.

So it isn’t so much that one is more secure than the other as that they started with different threat models and come from different periods of computing history.

At uni I logged on a thin terminal that would then connect to a computer with hundreds of users.

You think of your computer as a desktop but in a reality it can be a lot more than that. Hundreds of users could simultaneously use it without bothering you (assuming resources are sufficient).

Obviously that also means you shouldn’t be able to see or edit files from other users

You, like most of us to be clear, are just using it in a very very limited way.

It costs pragmatically nothing to keep this model working and it seriously limit usage to remove that. Now if you do want, you can autologin and skip all this but at your own risk.

TL;DR: a desktop is just a server with a screen, mouse and keyboard, nothing magical about it. If a server can handle hundreds of users, so can your desktop even if that’s not how you use it.

What is Linux protecting us from by using passwords?

I’d argue: from yourself.

On windows I often spam clicked through dialogues and popups and without thinking got malware or some other unwanted outcome.

On linux, when asked for a password it takes effort to type, so I have a moment of my lazy brain resisting and asking “do we really need to do that” and it makes the action more conscious and responsible. I cought myself one step from fucking something up multiple times this way.

I had some viruses and malware on windows, just like you. But I never had them on linux in mt 15 years of daily driving it.

Any OS with no password is insecure. Hands down.

Linux/Unix has a permissions structure that works at the filesystem level, to be really brief about it.

Files are owned by users. Users can be part of groups to represent a larger number of users for simple organization.

Regular users can only touch files they own, or are owned by a group they are in. Root has master permissions to anything.

As a regular user, your home directory is owned by you. Anything you create is owned by you. All programs executed by you require that you have permissions to those things. Therefore if you’re just bouncing on the system and doing things, you can only harm the files that you own.

Your account having a password prevents access to this account. Though it’s a regular user, anyone with that password can harm your files.

The Root password allows anyone to execute or delete any files on the system. Anyone with this password can get to any file on the system, so you never let anyone know this password.

Your assumption that SSH somehow has different passwords is incorrect. You make a user on a machine and you don’t prevent SSH access…then they can SSH in, but they’re still a regular user.

If no password is needed to do authentication, then any script and any user is able to do whatever they want on your system. Basically every script and application has root access by default. That is something you do not want to have. Even more important in multiuser environments.

Not really sure what you’re asking here

Is Windows + UAC + no password secure?

No.

What is Linux protecting us from by using passwords?

Bad humans & mistakes. But Linux doesn’t need passwords.

Linux & Windows came from a command-line history, so things like UAC are just a GUI version of sudo (and there is (was?) a Linux equivalent if you wanted it)

So, consider these as options on either OS. If you want it, it’s there, if you don’t, don’t - other options exist depending on your uae case (ie SSH keys, biometrics, etc…)

To the point; not using a password is a choice on convenience over protection.

Relevant xkcd: https://xkcd.com/1200/

Fyi UAC is not strong protection . Also, it really doesn’t matter if you have a password or not, UAC works the same way.

SELinux or other MAC systems (AppArmour?) are complicated but can protect a Linux system in a way similar to the UAC prompts on Windows, although its not convenient at all.

Maybe someone has a gui to make it easy, but I’ve never used it.

I think you may be happy with setting a short or empty user password so a sudo popup is basically the same as clicking allow on a UAC prompt

It’s there to protect you from crimes of opportunity. Like if your car is locked, a thief could decide to pick the lock, smash the windows in, or find another victim, but they would have no second thoughts if your car were already unlocked. The password deters a casual hacker and buys you some time to notice and deal with anyone seriously trying to break in.

In an ideal case of disk encryption and a well-designed lock screen, the password forces a would-be intruder to either spend lots of time guessing it or shut down the computer, thereby discarding the encryption key from memory and thwarting the attack.

I will not address the core questions since others have. I will offer a solution that might do what you want. I disclaim all responsibility if you choose to do this.

You can buy keyboards such that when you press a macro button, it will type an arbitrary string. Some Logitech keyboards have (had?) programmable keys that did this.

I’m not suggesting this is a good solution, but it is a solution.

Edit: idc about the downvotes on this, I’d probably downvote it too. But since OP keeps asking this question over and over and over and over and over and over again I gave him what he wants. I do not endorse doing this. I don’t do it, passwords are important

I don’t use Windows often, so I might be missing some context - every Windows computer I’ve used has an account with a password that I need to type in sometimes, though admittedly not for every privileged operation. They prevent most people with physical access from doing anything, in the same way that the locks on your doors or windows do. Opportunistic actors are prevented from access.

Most Linux distros probably tend to prompt you to actually type in your password more often, but:

• SSH: if you aren’t connecting to your computer via SSH you have no reason to be running an SSH Server. In most cases, you should be using a key pair for auth, and the password for the key (if set) is what you’re typing in. This provides a layer of security beyond what a password-less key pair offers because physical access to your private key no longer grants access to the remote system without the password.
• Encrypted drives: similarly adds a layer on top of physical access necessary to decrypt the data
• Keyrings: password re-use is a bad thing, and re-using your login password for what amounts to a password manager is also not great practice, though admittedly relatively common

You are correct and most of the commenters here are wrong, UAC is a feature that IS secure without a password and Linux does not have any equivalent.

Windows can safely control privilege escalation through a secure elevated prompt that only the user can interact with.

Because Linux doesn’t have any kind of secure elevated prompt like that, any process could impersonate you to log in as your user if it didn’t have a password, so you just have to have a password on Linux if you want it to be secure.

I don’t believe there is any particular advantage of linux insisting on password input for privilege escalation. Obviously there is no proof of this, but I suspect that the design of this privilege escalation flow in linux is at least partly caused by its popularity as a server OS, for example the UI flow for Windows UAC wouldn’t work if you’re trying to remotely administrate a server through the terminal.

Is Windows + UAC + no password secure?

It should be, in fact I believe that by default if your local admin account doesn’t have a password set, remote logins and run-as is disabled for that account so you might even be able to argue that it is more secure. It’s probably one of the reasons why Windows 11 comes with a recommended option to disable passwords and only authenticate through Windows Hello.