I still have no idea why that plain-text string was in the config at all, but here is something I found in further testing.
On both 1.4.0 and 1.4.1,
You have a ‘vyos’ user configured with an encrypted string, representing a strong password. This password will indeed work to log in.
If you enter the command:
set system login user vyos authentication plaintext-password ‘NewGoodPassword’
Now before commit you do ‘show system login’
You will see both the old encrypted string and the new plain-text password exactly as you entered it, with a + next to it, indicating that it will be added on commit. If you commit, the plain-text line is consumed by the configuration parser and a single new encrypted password line is written out to the config. You now only have only one line, and it is the encrypted password.
If you do the same thing, but this time set the plain-text password to ‘’
You now commit and end up with an additional line. You have the original encrypted line, which still actually is the current and active password for the user. You also have an additional line that says the plain-text password is ‘’, which has no affect on anything and you cannot login to the system with null or ‘vyos’. The encrypted password is what you will need to login to the system.
It would seem however that when the system upgrade parser runs when you upgrade to the next version of Vyos, it will pickup that plain-text line and parse it into a wide open default ‘vyos’ encrypted password.