Hmm, sounds like you just found a bug in Whonix 18. The PAM module that does this was designed to prevent unforeseen sysmaint mode bypasses when user-sysmaint-split is installed, but it’s likely actively detrimental when running without user-sysmaint-split like you’re doing.
I’ll make a fix for this. In the mean time, what you can probably do is change to a TTY, then log in as account root with password changeme, and set a password for your user account from there.
(In case someone sees this and says “oh my word the default root password is changeme, this is a horrible security hole”, it’s not. Standard user accounts are prevented from running su, so the only way to use an account password to authenticate as that account is to be able to log into that account graphically or via a TTY. Malicious software shouldn’t be able to do either thanks to file permissions, so essentially using the root password requires direct access to the VM console from outside the VM. Appropriate measures should be taken on the host to keep attackers from getting VM console access. ISO images don’t have this default password set.)