What's the difference between empty password and no password?
As said in this question in comments, empty password and no password are different things. So what’s the difference between empty password and no password in Linux Debian?
One still has a password hash, but the other does not.
Password hashing functions can accept an empty string. So if the front end interface allows the user to submit an empty string as a password, then the password will validate. If this is the case, there is an actual password hash stored on the back end that will only validate if the password hashing function receives an empty string. Any other input will result in authentication failure.
If there is no password at all, there is no password hash, and the field where that hash is normally located is completely empty. No matter what attempted password is supplied, authentication will never succeed.