By default, the PAM configuration files in Linux allow for null or empty passwords due to the nullok feature. From the manpage,

# man pam_unix
nullok
        The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default.