Should root and 'admin' password be expired during kickstart?

[shawndwells]

SB-237, a law passed in California, contains the following text:

---

(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met: (1) The preprogrammed password is unique to each device manufactured. (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

Many sample kickstart files have template credentials. For example: https://github.com/ComplianceAsCode/content/blob/master/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg#L55#L65

Per an idea from Steve Grubb, should we include "passwd -e" for those accounts, perhaps in the %post section?