Anche se non dovesse fare differenza prova NULL invece di null.

Secondo la documentazione dovrebbe andare

If not provided or NULL, the MySQL server will attempt to authenticate the user against those user records which have no password only. This allows one username to be used with different permissions (depending on if a password as provided or not).