I think the basic premise of this question, that Windows and Linux somehow have a different foundational security model that is or isn’t based on passwords, is not really true. Passwords play more or less the same role for any modern operating system – be it Linux, MacOS, Android, iOS, etc.

The only major difference is that instead of UAC, Linux has a variety of options (sudo, policykit, run0), which are implemented differently across different distributions. If your privileged user doesn’t have a password, in some cases this could lead to any program being able to elevate their privilege quietly, unlike UAC.

However, in many distributions you can set up a user with a password and enable passwordless local login, which would be almost equivalent to windows with no password.

Answering your question directly, the major threat to most consumer users is physical compromise or theft of device. Your statement that “physical access is game over” is not entirely accurate: disk encryption with a password is a very strong protection against unauthorized data access, but you need to use a password (doesn’t matter if it’s Linux or Windows).

Not really sure what you’re asking here

Is Windows + UAC + no password secure?

No.

What is Linux protecting us from by using passwords?

Bad humans & mistakes. But Linux doesn’t need passwords.

Linux & Windows came from a command-line history, so things like UAC are just a GUI version of sudo (and there is (was?) a Linux equivalent if you wanted it)

So, consider these as options on either OS. If you want it, it’s there, if you don’t, don’t - other options exist depending on your uae case (ie SSH keys, biometrics, etc…)

To the point; not using a password is a choice on convenience over protection.

What are passwordless solutions in Windows for remote access, disk/filesystem encryption, keyrings?

BTW in all that cases a password can be replaced with a hardware token, for instance. It is just the simplest, most widely used and one of the less secure options.

Physical access isn’t game over, it’s only game over to a determined hacker. The vast majority of people aren’t competent enough for it to be an issue. It’s just like how a determined thief can get through almost any lock or door, but it takes effort and time, and skill which many casuals just won’t have.

Full-disk encryption passwords are the most important password, they can prevent physical access from being game-over.

Unix was originally designed to be multi-user, so different passwords protect different users from each other.

Linux doesn’t have a UAC-without-passwords equivalent really, programs can interact with the Linux UAC equivalents just as much as you can, so the password makes sure it’s really you, and not a malicious program or person. UAC on Linux would require an almost fundamental architecture change, in a way contrary to most of how Linux is used now.

Did you really never use a password with Windows? That seems wild to me.

Any OS with no password is insecure. Hands down.

Linux/Unix has a permissions structure that works at the filesystem level, to be really brief about it.

Files are owned by users. Users can be part of groups to represent a larger number of users for simple organization.

Regular users can only touch files they own, or are owned by a group they are in. Root has master permissions to anything.

As a regular user, your home directory is owned by you. Anything you create is owned by you. All programs executed by you require that you have permissions to those things. Therefore if you’re just bouncing on the system and doing things, you can only harm the files that you own.

Your account having a password prevents access to this account. Though it’s a regular user, anyone with that password can harm your files.

The Root password allows anyone to execute or delete any files on the system. Anyone with this password can get to any file on the system, so you never let anyone know this password.

Your assumption that SSH somehow has different passwords is incorrect. You make a user on a machine and you don’t prevent SSH access…then they can SSH in, but they’re still a regular user.

Relevant xkcd: https://xkcd.com/1200/

It’s there to protect you from crimes of opportunity. Like if your car is locked, a thief could decide to pick the lock, smash the windows in, or find another victim, but they would have no second thoughts if your car were already unlocked. The password deters a casual hacker and buys you some time to notice and deal with anyone seriously trying to break in.

In an ideal case of disk encryption and a well-designed lock screen, the password forces a would-be intruder to either spend lots of time guessing it or shut down the computer, thereby discarding the encryption key from memory and thwarting the attack.

I don’t use Windows often, so I might be missing some context - every Windows computer I’ve used has an account with a password that I need to type in sometimes, though admittedly not for every privileged operation. They prevent most people with physical access from doing anything, in the same way that the locks on your doors or windows do. Opportunistic actors are prevented from access.

Most Linux distros probably tend to prompt you to actually type in your password more often, but:

• SSH: if you aren’t connecting to your computer via SSH you have no reason to be running an SSH Server. In most cases, you should be using a key pair for auth, and the password for the key (if set) is what you’re typing in. This provides a layer of security beyond what a password-less key pair offers because physical access to your private key no longer grants access to the remote system without the password.
• Encrypted drives: similarly adds a layer on top of physical access necessary to decrypt the data
• Keyrings: password re-use is a bad thing, and re-using your login password for what amounts to a password manager is also not great practice, though admittedly relatively common

This may or may not help, but here’s my two cents:

Windows was originally built to be as user-friendly as possible because its target audience are non-tech-savvy people. It then evolved into being a business OS. So security was never its first priority.

UNIX was built for tech savvy people to do business-sensitive stuff, and required sophisticated security models. Linux was modeled after UNIX (Minix specifically), and thus inherited those same principles. It evolved to become more user friendly. But security remained a priority.

Now, that said, both Windows and Linux are configurable. You can make Windows more secure with effort, just like you can make Linux less secure with effort (and I don’t mean simply using root all the time).

There are diehards on both sides , and they will make excellent (or terrible) arguments for their favored OS. So you need to decide what works best for you and your use case and go with that. 😊

I always just run anything that asks for it with sudo, and I probably shouldn’t. I wish my software installations (on any device) came with a set of required or requested permissions (with the option to say no). I want to know what I’m letting my software installs do.

I don’t believe there is any particular advantage of linux insisting on password input for privilege escalation. Obviously there is no proof of this, but I suspect that the design of this privilege escalation flow in linux is at least partly caused by its popularity as a server OS, for example the UI flow for Windows UAC wouldn’t work if you’re trying to remotely administrate a server through the terminal.

Is Windows + UAC + no password secure?

It should be, in fact I believe that by default if your local admin account doesn’t have a password set, remote logins and run-as is disabled for that account so you might even be able to argue that it is more secure. It’s probably one of the reasons why Windows 11 comes with a recommended option to disable passwords and only authenticate through Windows Hello.