The article is a bit confusing regarding this, but no, you can't send an empty password. That's because when a browser does digest authentication it doesn't actually send the password, or even a password hash, to the web server. The browser sends instead a response MD5 hash computed on a string composed of various items, including a variable nonce sent by the server, in addition to the password, for example: response=MD5(MD5(username:realm:password):nonce:MD5(method:digestURI)) https://en.wikipedia.org/wiki/Digest_ac ... entication This means a normal browser would never send an empty response, even when you enter an empty password. It would always send a 32 hex digit MD5 hash looking like this: response="6629fae49393a05397450978507c4ef1" The server would then compute the same hash, and compare them. If they are equal, it allows login, if they are different it denies login. The bug was in the code to compare the two strings. It used the strncmp function that compares the first N characters of two strings: strncmp(string1, string2, N) http://www.cplusplus.com/reference/cstring/strncmp/ And applied it to the computed hash and the hash response received from the browser, with N set to the length of the response received from the browser, so something like: strncmp(computed_hash, response, strlen(response)) So when it compared a real hash generated by a browser it would do something like: strncmp("6629fae49393a05397450978507c4ef1","d3d4914a43454b159a3fa6f5a91d801d", 32) This would work just fine for hashes sent by the browser, which are always 32 characters in length. Even if the password field is empty, it would compare the two strings, they wouldn't match, and it would reject the empty password or invalid password. So anyone testing this from a browser would find it works perfectly. The problem is what happens if you don't use a browser, but you generate an invalid request manually or using a proxy to alter the response, sending an empty string instead of the 32 character hash. Then the compare code does this: strncmp("6629fae49393a05397450978507c4ef1","",0) This means the function will compare the first 0 characters between the two strings. So it is equivalent to: strncmp("","",0) Of course, two 0 length strings are equal, so it wrongfully concludes the hashes are equal.