When creating new users, Crowd provides a value of PasswordCredential.NONE to indicate that a user has no valid password. It's an encrypted password of "X"; none of the password hashing schemes will produce an 'X', so it can't be used to log in.

However, Crowd also supports 'plaintext'; in a directory using this scheme, setting PasswordCredential.NONE results in a user with exactly a password of 'X'.

For this fix, treat that value as a special case and consider the password invalid.

This would only be an issue for admins who have imported users, rather than created them through the Crowd UI, into a directory using the PLAINTEXT password encoding.