As a security measure, you can rotate passwords for the logical and physical accounts on all racks in your system. The process of password rotation generates randomized passwords for the selected accounts. You can rotate passwords manually or set up auto-rotation for accounts managed by SDDC Manager. By default, auto-rotation is enabled for vCenter Server.

You can rotate passwords for the following accounts.

  • ESXi
    Note: Auto-rotate is not suported for ESXi.
  • vCenter Server

    By default, the vCenter Server root password expires after 90 days.

  • vSphere Single-Sign On (PSC)
  • NSX Edge nodes
  • NSX Manager
  • vRealize Suite Lifecycle Manager
  • vRealize Log Insight
  • vRealize Operations
  • vRealize Automation
  • Workspace ONE Access
  • SDDC Manager backup user
The default password policy for rotated passwords are:
  • 20 characters in length
  • At least one uppercase letter, a number, and one of the following special characters: ! @ # $ ^ *
  • No more than two of the same characters consecutively

If you changed the vCenter Server password length using the vSphere Client or the ESXi password length using the VMware Host Client, rotating the password for those components from SDDC Manager generates a password that complies with the password length that you specified.

To update the SDDC Manager root, super user, and API passwords, see Updating SDDC Manager Passwords.


  • Verify that there are no currently failed workflows in SDDC Manager. To check for failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom of the page.
  • Verify that no active workflows are running or are scheduled to run during the brief time period that the password rotation process is running. It is recommended that you schedule password rotation for a time when you expect to have no running workflows.
  • Only a user with the ADMIN role can perform this task.


  1. In the navigation pane, click Administration > Security > Password Management.

    The Password Management page displays a table of the credentials that SDDC Manager is able to manage. For each account it lists username, FQDN of the component it belongs to, workload domain, last modified date, and rotation schedule and next rotation date if applicable.

    You can click the filter icon next to the table header and filter the results by a string value. For example, click the icon next to User Name and enter admin to display only domains with that user name value.

  2. Select the account for which you want to rotate passwords from the Component drop-down menu. For example, ESXI.
  3. Select one or more accounts and click one of the following operation.
    • Rotate Now
    • Schedule Rotation
      You can set the password rotation interval (30 days, 60 days, or 90 days). You can also deactivate the schedule.
      Note: Auto-rotate schedule is configured to run at midnight on the scheduled date. If auto-rotate could not start due to any technical issue, there is a provision to auto-retry every hour till start of the next day. In case schedule rotation is missed due to technical issues the UI displays a global notification with failed task status. The status of the schedule rotation can also be checked on the Tasks panel.
    A message appears at the top of the page showing the progress of the operation. The Tasks panel also shows detailed status for the password rotation operation. To view sub-tasks, click the task name. As each of these tasks is run, the status is updated. If the task fails, you can click Retry.


Password rotation is complete when all sub-tasks are completed successfully.