so the solution is that if the passwd length is 8, then test if a blank password works… using an action:
dscl . -authonly <username> ""
Don’t do this if length is 1, because then it would probably create the problem
The exit code was 10 on a system where root was NOT blank. I assume the exit code is 0 on a system where root is blank.