Assuming you have read this tweet from lemiorhan talking about how to get the root bypass.
After doing the above you are set with a root account with no password. If your remote access settings allow for "All Users" then root can access with no password.
If you enter a new a password on the account and disable it, you can bypass all of that by starting the entire workflow over. Click the lock and enter root and leave the password blank. It will overwrite what you originally had set.
If you read this post by Patrick Wardle it goes over the lower level details on why this happens, and how it stores the password.
As of now the best way to mitigate this problem is to set a really strong password for the root account and then keep the root account enabled. This way you can't overwrite the password.
So without activating or deactivating accounts i.e. Users & Groups panel still only shows normal user(s):
sudo passwdNow I cannot do the "click the lock" trick and I never had to activate root. Or did I somehow implicitly / accidentally activate root by doing these steps?