diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -288,6 +288,7 @@
 	char *encrypted;
 	time_t passwordtime;
 	int pfd, tfd, retval;
+	char emptyhash[] = "";
 
 	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
 		user = getlogin();
@@ -402,8 +403,14 @@
 			pwd->pw_change = time(NULL) + passwordtime;
 		
 		login_close(lc);
-		makesalt(salt);
-		pwd->pw_passwd = crypt(new_pass, salt);
+
+		/* store empty password as an empty hash */
+		if (new_pass[0] == '\0')
+			pwd->pw_passwd = emptyhash;
+		else {
+			makesalt(salt);
+			pwd->pw_passwd = crypt(new_pass, salt);
+		}
 #ifdef YP
 		switch (old_pwd->pw_fields & _PWF_SOURCE) {
 		case _PWF_FILES: