diff --git a/src/modules/users/UsersPage.cpp b/src/modules/users/UsersPage.cpp
index c0965a7ed..92070d1da 100644
--- a/src/modules/users/UsersPage.cpp
+++ b/src/modules/users/UsersPage.cpp
@@ -407,14 +407,7 @@ UsersPage::validateHostnameText( const QString& textRef )
 bool
 UsersPage::checkPasswordAcceptance( const QString& pw1, const QString& pw2, QLabel* badge, QLabel* message )
 {
-    if ( pw1.isEmpty() && pw2.isEmpty() )
-    {
-        // Not exactly labelOk() because we also don't want a checkmark OK
-        badge->clear();
-        message->clear();
-        return false;
-    }
-    else if ( pw1 != pw2 )
+    if ( pw1 != pw2 )
     {
         labelError( badge, message, tr( "Your passwords do not match!" ) );
         return false;
@@ -510,6 +503,14 @@ UsersPage::addPasswordCheck( const QString& key, const QVariant& value )
     {
         add_check_maxLength( m_passwordChecks, value );
     }
+    else if ( key == "nonempty" )
+    {
+        if ( value.toBool() )
+        {
+            m_passwordChecks.push_back( PasswordCheck( []() { return QCoreApplication::translate( "EMP", "Password is empty" ); },
+                                    []( const QString& s ) { return ((cDebug() << "Checking pwd" << s << "for empty"), !s.isEmpty()); } ) );
+        }
+    }
 #ifdef CHECK_PWQUALITY
     else if ( key == "libpwquality" )
     {
diff --git a/src/modules/users/users.conf b/src/modules/users/users.conf
index cae9bef0d..00747195c 100644
--- a/src/modules/users/users.conf
+++ b/src/modules/users/users.conf
@@ -58,8 +58,14 @@ setRootPassword: true
 doReusePassword: true
 
 # These are optional password-requirements that a distro can enforce
-# on the user. The values given in this sample file disable each check,
-# as if the check was not listed at all.
+# on the user. The values given in this sample file set only very weak
+# validation settings.
+#
+# - nonempty rejects empty passwords
+# - there are no length validations
+# - libpwquality (if it is enabled at all) has no length of class
+#   restrictions, although it will still reject palindromes and
+#   dictionary words with these settings.
 #
 # Checks may be listed multiple times; each is checked separately,
 # and no effort is done to ensure that the checks are consistent
@@ -84,6 +90,7 @@ doReusePassword: true
 #    (That will show the box *Allow weak passwords* in the user-
 #    interface, and check it by default).
 passwordRequirements:
+    nonempty: true
     minLength: -1  # Password at least this many characters
     maxLength: -1  # Password at most this many characters
     libpwquality: