Back in the early days of Membase a decision was made that if you create a bucket named "default" all clients would be put in that bucket whenever they connected. By doing so one could take any community client which used the binary protocol and replace memcached with membase.
When we later added RBAC ns_server will detect during upgrade if there is a bucket named "default" and create user named "default" without any password. Memcached will then check if that user exists (with an empty password). (Note: administrators can't create users with an empty password, so it is only ns_server which may "enable" the default bucket logic).
It would be a good idea to rip out all of this "magic" of our system and require all connections to authenticate and select the bucket they want to use. This reduce the complexity of our system and make sure we won't get any bad publicity by "open couchbase database found on the internet"