I DMed @SamuelClay on twitter a couple of days ago (not sure how often you check twitter though!), not wanting to post what I thought was a severe security vulnerability publicly: I could log into my account without a password or with the wrong password.

Since then I’ve realised what actually happened was that my password wasn’t set. I was 100% certain I had set a password on account creation and even changed it since then too. I think when I was fiddling in my account settings at some point in the past my browser autocompleted the “old password” field in the change password form and left the “new password” field blank. When I saved the changes I intended to make, I unknowingly unset my password as well. I’ve managed to replicate this behaviour.

I think it would be a good idea to have an extra confirmation step if the new password field is left blank, to avoid this from happening.