Can you give a basis for that statement? I've been running user with a password (for openssh access via publickey; if no user password, key authentication fails automatically) for a couple of days now, and haven't noticed any issues.