If you like, but that's still exploitable and at best a pain in the arse for you to type in each time, when a better and more secure alternative exists. I tend to leave the password on the root account enabled (consider setting the root password to something insane) and accept the risk, but adding a password (any password) to the user account is just doubling my exposure.