The problem can be corrected by upgrading the affected package to
version 2.67ubuntu20 (base-config) and 1:4.0.3-37ubuntu8 (passwd). In general, a standard system upgrade is sufficient to effect the
necessary changes.

The updated packages remove the passwords and additionally make the
log files readable only by root.

This does not affect the Ubuntu 4.10, 5.04, or the upcoming 6.04
installer.

Full Post.