User manager methods create() and create_user()

That's exactly why the user model has a custom manager with a UserManager.create_user() method for creating users. There are two problems with using the QuerySet.create() method on User instances:

1. If you run the management command python manage.py sql, pay attention to the auth_user schema:

   CREATE TABLE "auth_user" (    ...    "password" varchar(128) NOT NULL,    ...)

   In SQL, an empty string, '', does not equate to NULL, i.e. ISNULL('') != TRUE.

2. QuerySet.create() and QuerySet.update() do not trigger model validation. Model validation only happens when ModelForm instances call the Model.full_clean() instance method.

   Raising a validation error in the context of working with the QuerySet API directly simply makes no sense in Django. That's why you can do something like User.objects.create(username='foo', password='') even though CharField().validate(value='', None) would raise a ValidationError for a blank string.

For the reasons above, you should defer from using User.objects.create() and rely on the supplied User.objects.create_user() method from the model's custom manager.

Look at django's source User model, there's a custom manager, snippet:

class UserManager(models.Manager):    # ...       def create_user(self, username, email=None, password=None):        """        Creates and saves a User with the given username, email and password.        """        now = timezone.now()        if not username:            raise ValueError('The given username must be set')        email = UserManager.normalize_email(email)        user = self.model(username=username, email=email,                          is_staff=False, is_active=True, is_superuser=False,                          last_login=now, date_joined=now)        user.set_password(password)        user.save(using=self._db)        return user