Yes, it is technically possible to have a SQL Server account with blank password, I saw this the other day on a SQL Server 2008 R2 instance. Perhaps it was an artifact left over from a 2000 -> 2005/2008 migration, but it was there.

For identifying weak SQL Server accounts, I use the following:

-- There are several frequently used password lists posted on the web.

-- Here are a few, but perhaps 100 or more could be inserted here.

declare @PW table (pwtext varchar(180) not null primary key);

insert into @PW (pwtext)

values ('password'), ('123456'), ('12345678'), ('1234'), ('qwerty'), ('12345');

select name, type_desc, create_date, modify_date, password_hash

from sys.sql_logins l

join @PW pw on pwdcompare(pw.pwtext, l.password_hash) = 1;

-- Query accounts with empty password:

select name, type_desc, create_date, modify_date, password_hash

from sys.sql_logins

where pwdcompare('', password_hash) = 1;

-- Query accounts where password = account name:

select name, type_desc, create_date, modify_date, password_hash

from sys.sql_logins

where pwdcompare(name, password_hash) = 1;