TYPO3 Core

A similiar issue is, that all "_cli_" accounts do not have passwords and will neither satisfy the reports-module.
This should also be taken in account when patching the extension.

i also found out, that it's really simple to patch => users with empty password should simply get a password set during the conversion!, so the problem is more a false conversion, than a false display of information.

please see class.tx_saltedpasswords_tasks_bulkupdate.php around line 194

if (strlen($password) > 2 && (t3lib_div::isFirstPartOfStr($password, 'C$') || t3lib_div::isFirstPartOfStr($password, 'M$'))) {
    // Cut off M or C and test if we have a salted hash
    $isSaltedHash = tx_saltedpasswords_salts_factory::determineSaltingHashingMethod(substr($password, 1));
}

we should add something like this directly after the above code:

if (strlen(trim($password)) === 0) {
    $password     = $this->generateSecurePassword(); //use randomizer here
    $isSaltedHash = false;
}

This BUG is also 4.5 LTS related!

suggested way of generating passwords
https://defuse.ca/generating-random-passwords.htm

alternativly we could generate the password with md5(time()) AND disable the user afterwards ;) as this would be insecure.

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421

Patch set 3 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/23421

Patch set 1 for branch TYPO3_6-1 has been pushed to the review server.
It is available at https://review.typo3.org/23432

Patch set 1 for branch TYPO3_6-0 has been pushed to the review server.
It is available at https://review.typo3.org/23433

Patch set 1 for branch TYPO3_4-7 has been pushed to the review server.
It is available at https://review.typo3.org/23434

Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at https://review.typo3.org/23435

how can it be applied without a review? - anyway thanks