Apply hashing to empty passwords as well.

Only when the password is null should hashing be skipped.

src/Auth/BaseAuthenticate.php

@@ -122,7 +122,7 @@ protected function _findUser($username, $password = null)
             // null passwords as authentication systems
             // like digest auth don't use passwords
             // and hashing *could* create a timing side-channel.
-            if (strlen($password) > 0) {
+            if ($password !== null) {
                 $hasher = $this->passwordHasher();
                 $hasher->hash($password);
             }