In https://support.atlassian.com/browse/CSP-10738 it was stated that the solution for the NullPointerException when migrating users with null passwords from osuser to atlassian-user was to populate the password field with some arbitrary value. The reason those users had null passwords, is that the confluence API allows them to be created with null passwords, so this is definitely a bug in the migration utility, because the migration utility must be able to migrate users that were created with the confluence API (specifically com.atlassian.user.UserManager in this case, but am pretty sure userAccessor in user-atlassian API also lets you create users without a password).

Support issue relating to bug: https://support.atlassian.com/browse/CSP-10738