the bug was in my code. You can see what was done here []. The issue was in the stored procedure defined in sql/site/spSetSiteData.sql.

The 20B140 update has the fix and it's already been applied to the live server. People setting their sites to use a password should not see the same issue going forward.