The vulnerability come from the usage of strcmp php function. Normally return 0 if two strings are equals. But if one of the two operators is not a string some weird behaviour can happen. For example if you compare a string and an array it returns NULL + PHP Warning:
So we can bypass if(strcmp($PASSWORD, $_GET['password']) == 0) and change it to if(NULL == 0)
And thanks to PHP native weakness NULL == 0 return True. More details
So now we just have to forge a GET request giving an array: http://yrmyzscnvh.abctf.xyz/web6/?password[]="".
Why? What is that? Transforming ?password=value to ?password[]=value will pass an array instead of a simple value so ?password[]="" will give an empty array.