This will prevent empty passwords to set the encryption to 'none', which in turn will store any subsequent password changes in cleartext. Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
$allowed_actions