In a fresh install of JasperReports Server on Windows 10 when updating a user details using the manage users edit screen (e.g. updating email address, assigning a role, setting attributes) the password is cleared if the password fields are left blank.
Checking the database and decrypting the password showed that it was set to 0000.
I'll take a guess that there isn't a check to see if you are actually changing password or not and an empty string is submitted and encrypted to 0000 and saved to the database.
I'm using the REST web services to do user management so it doesn't impact me but I noticed it when we made a few users using the GUI then assigned them some roles and they all ended up with the same password in the database when they should have been different.
The Windows 10 instance is a local instance, it also happens on our dev server which is Red Hat 5.5. Both instances are using JasperReports Server version 6.3.0.
The Windows 10 instance is using the default PostgresSQL database and the dev instance is using Oracle 11g.
The browser I was using is Chrome.