I thought that was fixed - ages ago - by having it nag you if both of the following are true:
1) SSH is enabled
2) The password is still the default
I mean, I suppose people could continue to ignore the nag, but it is pretty "in your face". Hard to believe that people would just ignore it (and not report that fact when posting to the forum).
And this is as good a time as any for me to point out once again that there is no need for there to be any "default" password (on the "pi" account) at all. There should not be. This is because:
1) The default, out-of-the-box setup is to boot into the desktop with no password prompt. This, obviously, works without need for there to be any password.
2) When "ssh" is setup, then - and only then - should there be a password.
1) My point, of course, is that if there isn't a default password ("raspberry"), then all the security concerns about people running with a default password would become moot.
2) For headless setup, we could say that the contents of the "ssh" file dropped into /boot would be the new password. Until now, we've always said that the contents of the file is irrelevant. Now, it would no longer be.
3) In typing this up, I just realized an exception: What if one's only connection to the machine is via serial cable? That's a case where you'd actually need the default password to be in place and ready-to-go.
That actually is me on many occasions. Well, if that's you, you can figure out a way. I assume anyone in that situation could figure out how to deal with it.
I actually think there's a lot to say for the machine being setup to auto-login on the serial port - so if you can connect the cable, you are in. I've setup several machine (Pis and other machines) this way - pre-systemd. It is on my TODO list to figure out how to do it on the Pi with systemd.
"L'enfer, c'est les autres"
G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:
J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!