[nordsieck]

> Windows should be smart enough to know an empty password doesn't meet the password complexity requirements or is of length zero and not count it against the 'bad password count'.

All that logic sounds like a recipe for introducing a side channel attack into the system. Much better to keep things simple.

[bentruyman]

What kind of side channel exists if the behavior is: if password is required, zero length input is always invalid. This seems kind of like basic UX. I mean I wouldn't expect the password field to validate against the password complexity requirements exactly, just that zero length input is probably a mistake.