Apple has just released an emergency patch to better lock down the “root” account where a preset password does not exist.  In certain settings, the “MacOS 10.13.1 Root vulnerability” allowed a missing password challenge to be fully worked around.  This bug is serious and Apple quickly responded with a “patch now” update  

https://redmondmag.com/articles/2017/11/29/apple-issuing-macos-high-sierra-patch.aspx

Apple is issuing a patch today for macOS High Sierra users that fixes a major password-bypass flaw in that operating system. The flaw lets anyone access a system with superuser privileges by using the user name “root” and a blank password. Apple is releasing Security Update 2017-001, which is designed to fix a logic error in the credentials validation process, according to a Nov. 29 Apple support article. The fix is only for macOS High Sierra 10.13.1 users. Older macOS High Sierra versions aren’t affected, according to Apple.

More can be found here:

https://blogs.msmvps.com/harrywaldron/2017/11/29/macos-10-13-1-root-vulnerability-allows-new-admin-account-without-password/