At some point in the past, there was a requirement for a user to have a password to be able to login, even if the password within ThingWorx wasn't being used because LDAP was configured as a DirectoryService. This is why the LDAP documentation in KCS has advice on how to create a long, hard-to-break, password for LDAP users ported into ThingWorx in this way. This appears to only be relevant pre-7.4.
Now (7.4+), it appears that users cannot login via BasicAuthentication if a password is not set, even if a null password is given at login.I am fairly sure this would also apply to custom authenticators, but further investigation is required.