diff --git a/playbook_distribute_authorized_keys.yml b/playbook_distribute_authorized_keys.yml
index 2821776..b52c070 100644
--- a/playbook_distribute_authorized_keys.yml
+++ b/playbook_distribute_authorized_keys.yml
@@ -5,6 +5,13 @@
     - accesspoints
   gather_facts: no
   tasks:
+    - name: set root password
+      user:
+        name: root
+        # https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#hash-filters
+        # using md5 because that is the only? supported hash type for busybox on openwrt 21.03
+        password: "{{ lookup('passwordstore', '{{ group_names | first }}/{{ inventory_hostname }}') | password_hash('md5', 65534 | random(seed=inventory_hostname) | string) }}"
+
     - name: deploy authorized_keys
       copy:
         src: files/authorized_keys