that sounds more like the user configured their account wrong. right now its possible for someone to set their password to be blank (which is different from disabling password login).