[tekacs]

If you disable the root user using `dsenableroot -d` from the Terminal, this seems to disable the account in a way that leaves its password intact.

[pwinnski]

The bug isn't in the disabling, it's in the auto-enabling on attempt.

[tekacs]

Having tested this by both approaches (disabling through GUI & shell), the above (through shell) seems to prevent this from re-occurring when you attempt to perform this bogus login again. Disabling the account via the GUI causes the failure to re-occur.