Anyone have a smart idea on how to identify a macOS device without a password? In the past I've used the presence of ShadowHashData value from the dscl plist:

select * from (select os_version.version, case when p2.value <> '' then 1 else 0 end as password_set, case when p1.value = '*' then 0 else 1 end as account_enabled, u.shell, u.username as account_username from plist p1, os_version, (select * from users where directory != '/var/empty') u left join plist p2 where (p1.path = '/var/db/dslocal/nodes/Default/users/' || username || '.plist' and p1.key = 'passwd') and (p2.path = '/var/db/dslocal/nodes/Default/users/' || username || '.plist' and p2.key = 'ShadowHashData'));

+---------+--------------+-----------------+-----------+------------------+
| version | password_set | account_enabled | shell     | account_username |
+---------+--------------+-----------------+-----------+------------------+
| 10.15.2 | 1            | 1               | /bin/zsh  | fritz-imac       |
| 10.15.2 | 1            | 1               | /bin/bash | nopassword-test  |
+---------+--------------+-----------------+-----------+------------------+

Or the presence of a

password_last_set_time

from the account_policy_data table.