Public review comment received from Nicholas Humfrey (point 4)

4) While comparing the differenced between the previous version of the
specification, I noticed that it is no longer possible to send a
password without a username. I thought that this was quite a useful
(albeit unintentional?) feature of the protocol, which could be used to
send API keys, OAuth tokens, or other secrets, without requiring a
(fake/unused) username. It could also be used to provide a password for
a client id, without an additional username.