Improve the user auto-creation flow

[gakhov]

Having a blank string password is not recommended for cases when the user should be explicitly marked as having no password. This is exactly the recommended way that is used when the authentication for the application takes place outside.

Right now the feature of creating users aren't very useful, since it doesn't allow to set additional parameters on the user and most of the developers have to create users in response callbacks. With this simple fix, we return the power to the settings CAS_AUTO_CREATE_USER, so users can set it and build their custom middleware by inheritance.