Recently Chris Wahl (@ChrisWahl) wrote a post on Using a Blank Initial ESXi Password to Your Advantage. If the root password on an ESXi hosts is blank the vSphere Client will place a warning on the hosts. The thought behind this method is that if you are using a non-complex password for the root user of ESXi hosts there is no warning, if the root password is blank there is. This warning provides a reminder that you need to go back and create complex passwords for your ESXi hosts. Great post and nice tip.
There is another option for reducing the security risks associated with simple root passwords (or even no root password) on the hosts, enabling Lockdown Mode.
Lockdown Mode can be enabled when adding a new host to the vCenter inventory or in the host Security Profile configuration. Lockdown Mode disables remote access to the host unless you have authenticated against vCenter.
Once enabled Lockdown Mode can be disabled from the Security Profile configuration or from the DCUI on the host console.
When Lockdown Mode is enabled the ESXi host can still be managed using vCLI, the VMA, or PowerCLI but all authentication must be done through the vCenter Server managing the host. Attempting to access the host directly will fail.
As Chris mentioned in his response to my comment oh his post, Lockdown mode is rarely used. Wonder why this is? Seems like a good security practice and provides a layer of defense against unauthorized host access.