diff --git a/resources/macos_user.rb b/resources/macos_user.rb
index df11750..5954c07 100644
--- a/resources/macos_user.rb
+++ b/resources/macos_user.rb
@@ -73,6 +73,14 @@ action_class do
     end
   end
 
+  def user_password
+    if new_resource.property_is_set?(:password)
+      ['-password', new_resource.password]
+    else
+      ''
+    end
+  end
+
   def exec_sysadminctl(args)
     shell_out!(sysadminctl, args).stderr
   end
@@ -120,7 +128,7 @@ action :create do
   end
 
   unless ::File.exist?(user_home) && user_already_exists?
-    cmd = [*token_credentials, '-addUser', new_resource.username, *user_fullname, '-password', new_resource.password, admin_user]
+    cmd = [*token_credentials, '-addUser', new_resource.username, *user_fullname, *user_password, admin_user]
     output = exec_sysadminctl(cmd)
     unless /creating user/.match?(output.downcase)
       raise "error while creating user: #{output}"
@@ -129,7 +137,7 @@ action :create do
 
   if new_resource.secure_token && !secure_token_enabled?
     validate_secure_token_modification
-    cmd = [*token_credentials, '-secureTokenOn', new_resource.username, '-password', new_resource.password]
+    cmd = [*token_credentials, '-secureTokenOn', new_resource.username, *user_password]
     output = exec_sysadminctl(cmd)
     unless /done/.match?(output.downcase)
       raise "error while modifying SecureToken: #{output}"
@@ -138,7 +146,7 @@ action :create do
 
   if !new_resource.secure_token && secure_token_enabled?
     validate_secure_token_modification
-    cmd = [*token_credentials, '-secureTokenOff', new_resource.username, '-password', new_resource.password]
+    cmd = [*token_credentials, '-secureTokenOff', new_resource.username, *user_password]
     output = exec_sysadminctl(cmd)
     unless /done/.match?(output.downcase)
       raise "error while modifying SecureToken: #{output}"
diff --git a/spec/unit/resources/macos_user_spec.rb b/spec/unit/resources/macos_user_spec.rb
index 52c387e..7552b7d 100644
--- a/spec/unit/resources/macos_user_spec.rb
+++ b/spec/unit/resources/macos_user_spec.rb
@@ -56,6 +56,31 @@ describe 'macos_user with a weak password on machine with a password policy' do
   end
 end
 
+describe 'macos_user with no password on machine without a password policy' do
+  step_into :macos_user
+
+  platform 'mac_os_x', '11'
+
+  before do
+    stubs_for_provider('macos_user[create user with no password]') do |provider|
+      allow(provider).to receive_shell_out('/usr/sbin/sysadminctl', '', '-addUser', 'cloudtest', '', '', '',
+                                           stderr: 'creating user record…', exitstatus: 0)
+      allow(provider).to receive_shell_out('/usr/sbin/sysadminctl', '-secureTokenStatus', 'cloudtest',
+                                           stderr: 'Secure token is DISABLED for user cloudtest', exitstatus: 0)
+    end
+  end
+
+  recipe do
+    macos_user 'create user with no password' do
+      username 'cloudtest'
+      secure_token false
+      autologin true
+    end
+  end
+
+  it { is_expected.to create_macos_user('create user with no password') }
+end
+
 describe 'macos_user attempting to delete the last secure token user' do
   step_into :macos_user