Two problems:

a) users cannot set their password to be 
blank (empty) -- the form submission requires a non-empty 
password.

b) admin _can_ set user passwords to be blank, 
but such users cannot login through the web interface

We 
ran 0.4.3 with blank passwords for all users except admin -- our 
server is internal, our developers trustworthy, and I didn't want the "I 
forgot my Roundup password" hassle. Users with "legacy" blank 
passwords from the 0.4.3 instances can still log in with blank 
passwords under 0.5.0.