The error message 'The password cannot be empty' is a validation rule applied on the password attribute of the system.user entity. The issue is related to when this validation rule is running. I am not exactly sure how the platform evaluates validation rules with after create flows, but I was able to replicate your issue. I created a User object, and even though I had an 'After Create' action that set the password, I still got an error when I tried to commit. Is it possible for you to set the password outside of the 'After Create' microflow before you get to the page where the saving occurs? That worked for me.