It's extremely common now to have authentication driven by LDAP/AD

and/or SAML SSO. With this, admins increasingly want to provision users

separately instead of just letting a successful authentication create

the user account.
This change makes it possible to do a POST to the /api/users/ endpoint

without a password set, which will create the user with an unusable

password.

Ran unit tests.