Why is this even allowed?
If you enable either one of these features, the interface should force you to set an 'admin' password.
Security should always be your focus - we ALWAYS change defaults. Edit: If you don't set a password, it is the serial number of the device. So not exactly blank, but weak.
The onus to provide security of the devices falls on you, the administrator. Meraki provides security over what they control, the cloud. So its up to you, to set up the default password for device login when they pull configurations from the cloud. The serial number can be gotten from the dashbord or from the hardware device, thus requiring you to physically secure your device, which is your responsibility, nothing Meraki can do about.
However, a reminder for setting password is a good idea.
Every single network device I've used always comes with a default user name and password. During initial setup, we change this password to something more secure. Setting up the Meraki device username/password is no different than on a HP. If YOU don't change it, there's a default that anyone could use if they know where to look.
@Mr_IT_Guy @Chris_M @BHC_RESORTS Thanks all.
This is exactly what I have done and do completely agree! I just don't think it being able to have it blank is a very good design. I've seen this implemented on other systems where you can unlock it to blank for 15-30 minutes.
Admittedly I found this on a network I did not setup, which obviously prompted me to check all our networks.