As far as I understand it, you cannot change the root password, and libreelec removed ability to use anonymous shares as per:
It is not possible to change the password (without recompiling the distro with a different one) because the password file is contained inside the read-only squashfs SYSTEM file (the read-only part is the challenge).
Anonymous Windows shares are NOT supported by Kodi so you should ensure that access to the Windows 7 share is restricted with a username/password and that "password authentication" is enabled on the Windows share. Kodi should then prompt for a username/password when accessing the share.
Though the author states Kodi, I believe librelec was intended (I could be wrong, but kodi windows 17.6 does works fine with anonymous share.)
So I went from having my librelec box not locked down (no issues), to now have to put in a clear text password of a valid user on my windows share. Now I naturally could create a user that only has access to this share or guest, but this is probably not well understood, or common practice. Whereas before, only things being exposed, were things that were fine to be exposed, ( e.g. my windows share with no sensitive data and libreelec user/pass,) now I am more likely going to share sensitive data (e.g. a valid user on my windows server.)
I would argue that in adding this "security enhancement", by and large the impact is less security for those involved. As previously stated, there are work arounds that would do as intended, but I do not beleive this is well documented, or understood by most or even possible to be understood by most.
If any of my assumptions are incorrect, please let me know.