Nice catch - I should have checked: it uses CREATE LOGIN and turns off checking for null passwords. Though I would still rather correct that situation than leave it.