https://fedoraproject.org/wiki/Changes/DisallowEmptyPasswordsByDefault
== Summary ==
Remove ''nullok'' parameter from pam_unix module in default PAM
configuration in order to disallow authentication with empty password.
== Owner ==
* Name: [[User:pbrezina| Pavel Březina]]
* Email: <pbrezina@redhat.com>
== Detailed Description ==
Current default configuration allows users to login with an empty
password by setting nullok parameter to pam_unix module. This affects
only logins to local machine, it does not affect ssh logins as this
must be explicitly allowed in sshd_config. We want to disallow empty
password by default for local logins as well to improve system
hardening.
It makes sense to implement this functionality so that users/admins can harden their systems in this way if they prefer. But I don't think it should be the default all across Fedora. Especially in desktop space, empty passwords make sense. I think the best approach would be to provide the functionality and then let individual spins/editions enable this by default if they want (e.g. the Security spin, or Server).