For those that automate their ESXi installations using Kickstart aka ESXi scripted installation should be quite familiar with the ability to configure the root password as part of the installation. As described in the official ESXi documentation, the --rootpw option can either contain a plain text password (not recommended) or with the use of the additional --iscrypted option, a SHA512 hash of the password can also be used, which is definitely recommended and more secure.
However, when managing additional local users via ESXCLI system account, which I recently blogged about here, I noticed that you can only provide a plain text password either on the command-line (not recommended) or interactively, which prevents this process from being automated. As mentioned in the blog post, you could store the password and the commands into another script file and this will at least hide the password from being stored in the ESXi Shell log file (/var/log/shell.log) but this is far from ideal.
While sharing this feedback with Engineering as part of a feature enhancement request, I came to learn about a nice little utility that can be used with both ESXi 7.x and 8.x that can update local user by simply providing the encrypted SHA512 hash.