@variablepulserate the bug was in my code. You can see what was done here [github.com]. The issue was in the stored procedure defined in
20B140 update has the fix and it's already been applied to the live server. People setting their sites to use a password should not see the same issue going forward.