MySQL allows entry without Password

Question

I have configured my MySQL Database to require passwords on all users, even root from the machine itself.

Now I discovered that there are empty Users in my Database

Reproduce: mysql -u root -p and then use mysql; & select * from user;

It gives me 2 entries, one with "localhost" and user <empty> and one with the machine's hostname and <empty>.

Now I tried to access the account with mysql -u ' ' (yes it's correct, leave a space between the ' things) and I log in without a password. The user can "only" see information_schema and test, the two databases created by default. He does not has access to mysql or any other custom created databases.

I already changed the Password of this user to something I won't tell you

mysql -u root -p
use mysql;
UPDATE mysql.user SET Password=PASSWORD('thisisasecretpassword') WHERE USER='root';
FLUSH PRIVILEGES;

Now my Questions:

• Is any MySQL Server vulnerable for an attack with this entry?

• Could an attacker break out of this account or the two default databases?

• Should I password-protect those Users or can I delete them? Are They required for some MySQL-internal things?

Answer 1

Those are anonymous users and, as such, don't need passwords. They are created by default on all installations. I'm not sure why it's done this way.

You can either set a password for them or remove them. From https://dev.mysql.com/doc/refman/5.6/en/default-privileges.html:

If you want to prevent clients from connecting as anonymous users without a password, you should either assign a password to each anonymous account or else remove the accounts.

Seems to be a duplicate of this one: MySQL 5.5.16 allows anonymous connections

Answer 2

Use mysql_secure_installation to remove anonymous users, test databases and also prevent remote connect using root user.

http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-installation.html