here's my way of squishing those messages:
* create the user, give it a non-trivial (but easy to type) PW. This
is often useful in the development stage anyway. Don't use a trivial
password in case you forget to do the next step...
* When ready to kill the PW, rather than clearing it, by putting a
few repeated chars in the encrypted PW string, for example, "----",
using vipw.
You now have an account that technically has a PW, but it is unlikely
anyone will find something that hashes to the string you created. The
string probably has the wrong number of characters anyway. Daily is
happy, you are happy, and no one can log in.
...you hope.
Here's a problem. You may want to be aware of "funny" accounts on
your system. Let's say you "kill" a password as I suggested, then
your evil co-administrator, Bob, decides he wants to keep having
access to this machine after he quits. So, he quietly does a chpass
on that account, then puts in his resignation. You run around and
delete all his accounts, and think, "Job done".
Bob now logs into that account, and uses the ssh key he also dropped
in place to get wherever he wanted to go (assuming a little pre-
planning, of course).
So, you might WANT to have as part of your daily routine verifying
that you have X insecurity reports, and that they are there for the
reasons you expect.
'course, that's hardly the only attack vector. If seeing
"Insecurity Report" freaks your boss out, you might find it safer
to eliminate the report ("Windows never tells me how insecure it
is, so it must be better!). Otherwise, treat it as just part of
your daily mails.
(Interestingly, your subject line auto-filed your message into my
"Insecurity Reports" folder, and it rather concerned me that a new
message suddenly arrived there. :)
