When a username is added to a record, either on creation or on edit, the UI currently creates a credentials record with an empty password. Man alive that ain't right.
It seems likely this was implemented to work around
MODUSERBL-96. If that can't be closed in time, an alternative implementation would be to call the authn/credentials-existence endpoint when a user clicks the “send reset password” link on the user-edit screen and if that request returns false to create a credentials record with a random password. I don’t love this, but it would unblock the ticket and I think it’s better than immediately creating empty-string password records for all users at the time a username is created: (a) no accounts will have empty-string passwords and (b) these passwords will exist for a shorter period of time since, presumably, the recipient of the email is about to reset the password.