I thought of that after I posted, testing it as I type now. That still does not eliminate the risk IMHO.

But, as I said, it is about what the acceptable risk your willing to take. If people are willing to have there two levels of security be a random number and username/password then more power to them.

Edit: Depending on Group Policy settings you are correct and it needs an account that has a password. This is the default setting when Windows is installed, so it would have to have been changed for it to open a risk.