[DEADMINCE]

> The form shouldn't even submit an empty password,

But it does. And if you have someone malicious trying to access the machine that way, why not lock them out on the first attempt?

I can see the advantage in simplifying things by not submitting blank passwords also, although I also think it isn't necessary.

> not exactly going to resuilt in success on the 1 millionth attempt.

Not, but 2 or 3 attempts should lock the account. I don't see an issue in treating a blank password submission as an attempt, but I guess denying that is easier than trying to educate users.

[rcxdude]

I don't see how it makes any sense as a behaviour other than not having thought to special case it: it's a signal which is blindingly more likely to be an error than an attack, and has no chance of success as an attack. It makes perfect sense as an affordance, even with user education.

[DEADMINCE]

I agree, my point was nonsense. I was still waking up.

[bentruyman]

This example makes no sense to me. An attacker is potentially logging on to the computer and submitting empty passwords to get in. And this is what we're trying to prevent at the expense of having an unclear UX?

[DEADMINCE]

I was wrong. Still sleepy.