Totally bizzare: deleting a MySQL user allows me to still login as that user with an empty password

Using MySQL 5.5 on Arch Linux, when I create a localhost user with a password and give it all privileges to all tables and then delete that user, I can still login as that user without typing in a password.

Steps to reproduce:

# mysql -u root -h localhost -p
  Enter password: <root password>

mysql> create user 'test'@'localhost' identified by 'testing123';
mysql> grant all on *.* to 'test'@'localhost' identified by 'testing123';
mysql> select * from mysql.user where user='test';
       1 row in set (0.00 sec)
mysql> exit

# mysql -u test -h localhost -p
  Enter password: testing123

mysql> show databases;
mysql> exit

# mysql -u root -h localhost -p
  Enter password: <root password>

mysql> delete from mysql.user where user='test';
       Query OK, 1 row affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
mysql> select * from mysql.user where user='test';
       Empty set (0.00 sec)
mysql> exit

# mysql -u test -h localhost

mysql> (Why?)

Not only that, but the "non-existing" test user can still exercise all of the same privileges. Major security problem. If I restart the server, it still lets me login without a pas开发者_开发技巧sword.

I finally figured out what was happening. By default, in the user table there is an anonymous user @ localhost. This user is automatically matched with any attempted username and logged in as that anonymous user. Kind of strange, I know. To get rid of the anonymous user, login as root and perform the following command:

drop user ''@localhost;