I've hit a blank here and would appreciate a kick start.
I have two password textboxes on a page, and on load I default their value properties to a string of '*', since I don't want to display the proper password, or even hint at its length. Now I don't want to confuse users by letting them edit these blank strings, so on focus I clear the textbox. Now my code thinks the password has changed and will save the blank value, which is allowed, but not intended.
Keeping everything else the same, I'd probably special case the blank password case and disallow having no password.
In the unusual case of a real use case for the no-password case, I'd add a special button "clear password".
Change the code that saves the password so that it doesn't save a blank password?!
I don't know the reason behind having a blank password (I guess it'll allow limited access perhaps?), but I'd say, ironically, for security purposes, add a check box saying "No password", and disable the password-entry field if it's checked. This way it'll be explicit that the password will be blank, and if there are any consequences for this (limited access, captcha requirements, whatever), the user is hopefully aware that checking this box also has those implications.
In my opinion, you shouldn't load the passwords in first place and save the passwords only if they contain some text.
P.S.: For security reasons you should consider not to save the password in plaintext, but as hashed value (salted). Read here and here. Just a tip.
Whichever you do this, you're going to have to check the values during your save process, and there's always the potential for things to go wrong (namely the user wants to set their password to your "pretend" string).
If you're using and input of type="password" rather than a type="text", it shouldn't matter what text you add as the browser will hide it for you, so just add a known, but unlikely to be used string (i.e. if you have invalid characters, use them, or start it #0# or something).
Next I would set this default value using JavaScript - this way if the user has JavaScript disabled, and your onFocus event doesn't run, it doesn't matter, as there's nothing to clear.
Finally, in your Save method, check for the existance of your known string in the password boxes, and if it's there, you know to ignore the value, and if the fields are blank, and the current password is also blank, then nothing will have changed.
I have found out that IIS does not allow blank passwords for FTP, so the question is, although interesting, now moot.