My confusion is: What happens when you hit Apply? Do you update / change the password field of the user?

Not that i've ever seen happen, not. Looking at the code, fossil intentionally fills that field with a dummy value:

    if( zPw[0] ){
      /* Obscure the password for all users */
      @   <td><input aria-labelledby="supw" type="password" autocomplete="off" \
      @   name="pw" value="**********" /></td>
    }else{
      /* Show an empty password as an empty input field */
      char *zRPW = fossil_random_password(12);
      @   <td><input aria-labelledby="supw" type="password" name="pw" \
      @   autocomplete="off" value="" /> Password suggestion: %z(zRPW)</td>
    }

When applying the change, it treats any password comprised solely of * as invalid and won't change the password:

/*
** Return true if zPw is a valid password string.  A valid
** password string is:
**
**  (1)  A zero-length string, or
**  (2)  a string that contains a character other than '*'.
*/
static int isValidPwString(const char *zPw){
  if( zPw==0 ) return 0;
  if( zPw[0]==0 ) return 1;
  while( zPw[0]=='*' ){ zPw++; }
  return zPw[0]!=0;
}

How do you modify a user without touching the password?

Leave it as-is. The "asterisks are magical" behavior is an internal detail which may change. /setup_uedit should arguably use a blank password for that case, but (A) a blank password is legal and (B) the current behavior seems harmless enough (though admittedly a bit confusing - you're not the first person to wonder if they're inadvertently changing a password).

Whatever the answer is, some change to the UI, or some note would be really nice that makes it clearer. I don't have any good suggestions on how to make it better, since I still cannot remember what the current behaviour is! :(

The current UI seems to strongly imply that if you tap apply, the old password will be reused (which is what happens, in a roundabout way). The fact that it's actually obscuring the old password with a series of asterisks is new information to me, though.

If you will propose a succinct description to the effect of "leave the password as-is to leave it unchanged" (but preferably shorter) i'll add that note next to the password field after the 2.20 release. We're currently "pencils down" for the pending 2.20 release and are only permitted to make genuine fixes.

I don't like this behaviour. :-(

Consider the dumb me, that accidentally adds a character to the field. From the web browser, all you see is:

Password: ***********

It is impossible to say if you did something, or not. You hit Apply, cause you're changing some other field, and booo....

Ideally, if the field could be shown as "empty", or if it could become highlighted with a red border and a 'modified' message. Though I realise the first would be tricky, and the second requires I guess some Javascript knowledge and hacks (that would be nice for all the fields -- but that is a different story!)

But maybe just:

Password: [********    ]        (Leave as-is to keep the current password)

Friendly reminder, now that 2.20 is out. :-)

Friendly reminder, now that 2.20 is out. :-)

It was merged in a few hours after the release ;).

Missed it! Sorry for the noise, thank you for the fix!