Update: Apple has released an update that fixes this bug. If you’re using OS X High Sierra you should update. If you’re not, keep reading because setting your root password is a good thing to do anyway.
What happened
Apple has a major security bug in the latest version of MacOS that allows anybody to get full admin (root) access without a password. As a result, people are a little peeved about it:
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
What to do about it
You can fix this even if you’re not using the latest version by setting your root password. First, open a Terminal window and enter this command:
sudo passwd -u root
This will ask you for your password, and then ask you to enter and confirm your new root password. Note: You don’t see what you’re typing or any asterisks when you enter passwords in the Terminal. Just relax and make sure you enter the password correctly:
Password:
Changing password for root.
New password:
Retype new password:
Finally, make sure to use a password that isn’t the same as your user account, and that’s either stored securely (I like LastPass) or is easy to remember but hard to guess.
If you aren’t an admin user you’ll see an error message like this:
USERNAME is not in the sudoers file. This incident will be reported.
Don’t freak out because the “reporting” is just making a note in a local file. (Or is it…) You won’t be able to fix this, but somebody who uses your computer must have an admin account, so ask them and they’ll be able to fix it. Or you can use the instructions on Apple’s site.
I expect Apple should have a fix for this soon, because it’s really bad.