I posted to derby-dev asking if this was a bug and did not receive any response, so I'm logging it as a bug.
Using the Embedded driver and specifying password= for the driver URL does not throw
an exception or warning:
ij> connect 'jdbc:derby:myDB;create=true;user=a;password=';
Using this syntax with the Network Client driver does:
ij> connect 'jdbc:derby://localhost:1527/blobDB;user=a;password=';
ERROR (no SQLState): password length, 0, is not allowed.
This bug is a request to make the behaviour of the client driver the same as the embedded driver.