If you’re installing ESXi for someone else (or even for yourself in a pre-deployment phase), chances are you’re going to use a temporary password that is incredibly easy for the sake of deployment. And, chances are also favorable that this easy password will forever remain as the root password until the host is eventually decommissioned.
One handy trick that I sometimes leverage is using a blank password for the initial configuration. The vSphere Client is helpful enough to place a warning bang on any host that has been configured in such a way, which is a great reminder that someone needs to go in and set the password to something more robust.
As with any configuration element, there is a tradeoff here. On the down side, a blank password is definitely much easier to guess if someone is trying to sneak into the system, although I would argue that most variations of simple passwords are equally easy to break. On the up side, it’s very easy to see if someone took the time to change the root password from the default of blank.
One finished, it’s a simple matter to call something like the VMA (vSphere Management Assistant), PowerShell (check out Alan Renouf’s post here), or vCLI to kick off password changes. Thoughts?