As for you #2 inquiry, there is nothing wrong with XAMPP. ALL MySQL installation only come with 'root' as a single user, with no password. (it will make sense if you think about it).
You are correct, it is a bad idea to use root with a password of "" as the default user for an application IF YOU EXPOSE your installation. YOU have to create users and sometimes the databases to work with applications/scripts. Apparently Joomla kinda danced over/around that issue. I did a Google search and I see folks recommending to run like that. Whatever, you are correct - bad idea. Even if your installation were initially totally local, if at some point you wanted to 'open' it, you would be right back at square one, changing the default user for administration of Joomla.
You would use phpMyAdmin to create the database (perhaps 'joomla') and create a user for Joomla, and to grant the correct privileges.
If you decide to go with root, use the XAMPP security script to set the passwords for 'important accounts'. Its found by clicking 'Security' on the XAMPP Welcome page -
BTW, PULEEEZE - just one question per thread. Also they have these carriage returns <Enter> that you can put in your posts so they are readable.
Good Luck