It's pretty easy to backup the ESXi configuration using PowerCLI, so that shouldn't be a concern. Another method to ensure that you can always get into the console is to enable SSH and use a SSH Public Key and disallow the user of the root password for SSH. This does require SSH to always be on and such, but as long as the Management Network is on an isolated subnet, then the risks are mitigated. Otherwise, schedule a task to run every night to dump the ESXi configuration to a static file and use that as a backup.
Host Profiles is another really nice method to manage and reset host settings, including the root password. There's some limitations and caveats to using Host Profiles, and personally I have never used them as I find them very cumbersome and use PowerCLI instead, but that's an option.
There's also something like SecretServer or Okta, which are Enterprise Password Managers that not only store the password, but also rotate the passwords on a certian frequency and can manage access to that password. This is the best option in my opinion becuase it keeps the passwords rotated, audits who access what password, and has good ACL built in.
Lastly, there is this article, which involves some hoop jumping to modify the shadow file on the ESXi host, resetting the password to blank and allowing you to reset things. I have never tried this article, but have always meant to as it seems sound but is not for the faint at heart by any means.