New users get a default password ''zabbix'.
Even if this is mainly an issue for users with internal frontend access, this shouldn't happen at all.

Maybe one can request on user creation a password if user groups with 'internal' frontend access are selected, or even better set initially a value that will never be a valid hash.