This example makes no sense to me. An attacker is potentially logging on to the computer and submitting empty passwords to get in. And this is what we're trying to prevent at the expense of having an unclear UX?
What kind of side channel exists if the behavior is: if password is required, zero length input is always invalid. This seems kind of like basic UX. I mean I wouldn't expect the password field to validate against the password complexity requirements exactly, just that zero length input is probably a mistake.
It's not an absolute statement, you'd have to have a childish interpretation of the article to have that takeaway. Not every generalization needs a "well actually".
I just find it funny when engineers trivialize solutions that they themselves wouldn't employ. Like yeah, I'm sure your phpbb solution was a proper vulnerability reporting and triaging system.
Do you think Ubiquiti has hundreds of people on staff to watch their forums to triage every issue within seconds of it being posted? I'm curious what level of support would be satisfactory to you, in this instance.