You can test it like this, mapping undef to an empty string just for the comparison:

unless ($user || '' and $pass || '') {
    ...
}
[download]

Personally, I wouldn't force people into using a password that matches ^\w{8}$ (which you seem to do) - maybe you want a check like 8 <= length $pass and some more checks? Your current way would set my password to "threepig" from "one!threepiggies".