What is the difference between machine account SPNs and user account SPNs in Kerberoasting?

Machine account SPNs are registered under computer objects and use a random, complex password that cannot be used for remote logon, making them worthless for cracking. User account SPNs are registered under domain user objects, and their passwords can be cracked offline and reused for lateral movement. This distinction is why attackers focus on domain user SPNs, as explained in the Domain Penetration - Kerberoasting article.