We've been doing this with pictures of Mariusz Pudzianowski (a Polish weightlifter), most people learned to set up their screen lockers pretty quickly. Definitely more effective than spamming people with reminders about security policy. Fun times.
Our trick was to use the unlocked account to message everyone on the general slack channel that we would bring donuts the next morning. The account owner was expected to commit to that.
What a great trick. You make an (effectively) inconsequential oversight, now you have to work for free for hours to days (pizza and drinks for 50-ish people was the worst I've seen), that's so clever. The best part has always been when they try to harass people into complying, especially the low-paid people with kids. /s
I'm glad I haven't worked at a place that had such informal "policies" in a while. There have been a few attempts by twenty-something engineers with no commitments to establish such rules, but the culture wasn't that toxic, so they (politely) got told to shut up, and that was that. People's desktop background still get changed sometimes, but respecting people's boundaries goes a long way to make work bearable for everyone. And even with desktop background pranks, if in the slightest bit unsure, communicate beforehand and accept a "no". And don't do what one guy at another company did and use a homophobic meme right before their victim's demo call with an important customer, or you deserve everything that happens afterwards.
It is not an inconsequential oversight. Most people will at least have sessions open to internal/private systems, sometimes sensitive credentials. And part of the teams will go see clients with their company laptops. You absolutely do not want people to be careless about leaving their computers unlocked.
Hence the "(effectively)" in front of inconsequential. This isn't something that will definitely and automatically result in a lot of damage, it usually won't cause any damage at all (especially if people work on desktop machines in an office that opens to a small number of badges). It may be a vector for a critical breach if enough stars align, and there happens to be an attacker nearby that is motivated, capable and willing to take the risk, and the machine is completely unobserved for long enough, but for most people, that's going to be pretty rare. Setting a short non-overridable screensaver delay is still a good idea, and screen locking should be part of security trainings and all that. It's one possible vector for deep penetration and should be treated accordingly.
But if you're effectively harassing people out of a part of their salary, I'd expect the reason to be something truly overridingly critical, and in all settings where I've seen this sort of rule instituted, it was far from that – and if it were, why would you resort to bottom-up hazing to control that risk? That disincentivizes actually improving security (by giving people another pretext to depend on uncompromised user machines), oversights absolutely will still happen and any damage that actually does occur will be hidden and conceiled even harder, since now you've created an emotional link to public shaming and people respond to that viscerally.
It was a grassroots honor thing, a game between willing participants. It was not a policy nor was it enforced. Not bringing in donuts would not penalize you in any way. There was no harassment, if you didn't manifest interest you wouldn't be picked on or left out of other (social|professional) activities. I honestly feel there was nothing toxic in the slightest in the practice, just good clean office fun.
Also, nothing was said about having to bring donuts for _everybody_. A single box of a dozen fresh assorted donuts left on the kitchen counter would do it. You'd then announce donuts to be available on a first come first serve on the same Slack channel and leave the hungriest ones fend for themselves in the hallways.
I remember a colleague had every document and a lot of stuff she was working on littered on her desktop. Nearly every little bit of desktop real estate was occupied.
Once, when again she left for lunch without locking her computer, a colleague of ours got up, made a Screenshot of her desktop, put everything on her desktop into the download folder and replaced the background with the screenshot. When she returned from lunch she was very quickly irritated that her computer had stopped working, as she could no longer click any of her files and programs.
It was a blast. And she never let her computer unlocked again.
At my old workplace, it was called being "Donut'ed". You'd email or message "donuts" from the victim's computer, and they were meant to bring in donuts that week.
The mail thing was a long tradition, until HR stepped in to explain that technically it fitted under taking over a coworker's machine and mail account, and was off bound (e.g. clicking the wrong popup, or auto-completing the mail to the wrong address would turn the joke into more complicated things)
The pi is meant to be setup to a TV or monitor with a keyboard and mouse for a full interactive login. You need some way for a human to type in authentication.
Of the 20 or RPis I’ve used over the years, I think only my first one ever got plugged into a keyboard and display. All the others were setup with ssh only.
If there's no password login doesn't prompt for one (you immediately get a shell after entering the user name) and ssh won't let you login. Removing the password is the correct default for interactive login on GNU/Linux unless you set up PAM.
Yeah default users are fine, but the basic architecture of Linux (and, to my knowledge, all operating systems) means that there’s no meaningful way to create a user without creating a password, so you can’t have a default user without a default password.
Fun anecdote: I used to log into people's Pis in college and show them that they needed to change the password. People don't react nicely to that.