When an empty password is set, the server doesn't call
st_mysql_auth::hash_password and leaves
MYSQL_SERVER_AUTH_INFO::auth_string empty.

Normally, auth_string would be a string of readable characters beginnging from
"P", followed by a single digit, like "P0". In this case, auth_string[0] will
be '\0', followed by a garbage.

In case of empty auth_string, let's generate an empty password ad-hoc. It makes
no sense save it to auth_string, since it's a sopy of a globally stored object.
This means also, that ext-salt will be random per each login.