What else would it be? The authentication code would live somewhere. And for debugging someone could change it to always return successful for an empty password. That debugging change shouldn't be checked in of course, and it should have been caught in code review. (It's a reasonable oversight for the authentication unit tests to only test incorrect passwords rather than the edge case of empty passwords)