Not a bad idea, but how do you keep people from peeking at the passwords with root access on their own VM?

They are asking for code or a brief description of how you proceeded through the steps. If you're going to take the time to document the process (correctly) then it shouldn't matter that you have the root password. Presumably you'd get stuck at some point where you couldn't explain how you achieved the subsequent step.

How do you keep yourself from rifling through the deck to find the Aces when you play solitaire?