By mistake, I seem to have logged in as another user. I was typing my username, when my finger slipped and I logged in before I had either finished typing my complete username, or any password whatsoever.
It seems that the user I accidently logged in as has an empty password.
* is this really possible, or have I made a mistake? * if this really is so, this is a moderate-sized security hole, because this has the same dangers as accounts with publicly accessible passwords, which are generally held to be a case for block-on-sight.
It would probably make sense to check for zero-length passwords at account creation time, and to scan for zero length and other trivial passwords on existing accounts, if possible, and issue a warning that they will be locked if the user does not change their password after (say) a month.
It would also make sense to try to enforce a simple password-checking routine, to make sure that users from now on can only set passwords that are at least slightly stronger than a single dictionary word (two short words are a surprisingly effective measure in terms of bang-per-character).
-- Neil