The appendix aggregates the default password policy settings for each product within the Identity and Access Management for VMware Cloud Foundation validated solution. You can use this password policy settings list for reference when you perform password management.

ESXi Hosts

Table 1. Default Password Expiration Policy for ESXi Hosts

Setting

Default

Description

Security.PasswordMaxDays

99999 (never)

Maximum number of days before password expiration

Table 2. Default Password Complexity Policy for ESXi Hosts

Setting

Default

Description

Security.PasswordQualityControl

retry=3 min=disabled,disabled,disabled,7,7

  • Maximum number of retries

  • Required character classes

  • Minimum password length (characters)

Security.PasswordHistory

0

Maximum number of passwords that the system remembers

Table 3. Default Account Lockout Policy for ESXi Hosts

Setting

Default

Description

Security.AccountLockFailures

5

Maximum number of authentication failures before the account is locked

Security.AccountUnlockTime

900

Amount of time in seconds that the account remains locked

vCenter Server

Table 4. Default Global Password Expiration Policy for vCenter Server

Setting

Default

Description

Maximum (days)

90

Maximum number of days between password change

Minimum (days)

0

Minimum number of days between password change

Warning

7

Number of days of warning before a password expires

Table 5. Default Local User Password Expiration Policy for vCenter Server

Setting

Default

Description

Password Expires

Yes

The virtual appliance root password is set to expire

Password validity

90

Maximum number of days before password expiration

Email for expiration warning

-

Email for password expiration warnings

Warning (days)

7

Number of days of warning before a password expires

Table 6. Default Local User Password Complexity Policy for vCenter Server

Setting

Default

Description

dcredit

-1

Maximum number of digits that generate a credit

ucredit

-1

Maximum number of uppercase characters that generate a credit

lcredit

-1

Maximum number of lowercase characters that generate a credit

ocredit

-1

Maximum number of other characters that generate a credit

minlen

6

Minimum password length (number of characters)

difok

4

Minimum number of characters that must be different from the old password

remember

5

Maximum number of passwords that the system remembers

Table 7. Default Account Lockout Policy for vCenter Server

Setting

Default

Description

deny

3

Maximum number of authentication failures before account is locked

unlock_time

900

Amount of time in seconds that the account remains locked

root_unlock_time

300

Amount of time in seconds that the root account remains locked

Table 8. Default Password Expiration Policy for vCenter Single Sign-On

Setting

Default

Description

Maximum lifetime

90

Maximum number of days before expiration

Table 9. Default Password Complexity Policy for vCenter Single Sign-On

Setting

Default

Description

Restrict reuse

5

Number of previous passwords that cannot be reused

Maximum length

20

Maximum password length (number of characters)

Minimum length

8

Minimum password length (number of characters)

Special characters

1

Minimum number of special characters

Alphabetic characters

2

Minimum number of alphabetic characters

Uppercase characters

1

Minimum number of uppercase characters

Lowercase characters

1

Minimum number of lowercase characters

Numeric characters

1

Minimum number of numeric characters

Identical adjacent characters

1

Maximum number of identical adjacent characters

Table 10. Default Account Lockout Policy for vCenter Single Sign-On

Setting

Default

Description

Maximum number of failed login attempts

5

Maximum number of authentication failures before the account is locked

Time interval between failures

180

Amount of time in seconds within which failed login attempts must occur to trigger a lockout

Unlock time

900

Amount of time in seconds that the account remains locked. If you set it to 0, the administrator must unlock the account explicitly.

NSX

Table 11. Default Password Expiration Policy for NSX Local Manager Clusters and NSX Edge Nodes

Setting

Default

Description

maxdays

90

Maximum number of days between password change

Table 12. Default Password Complexity Policy for NSX Local Manager Clusters and NSX Edge Nodes

Setting

Default

Description

dcredit

-1

Maximum number of digits that generate a credit

ucredit

-1

Maximum number of uppercase characters that generate a credit

lcredit

-1

Maximum number of lowercase characters that generate a credit

ocredit

-1

Maximum number of other characters that generate a credit

minlen

15

Minimum password length (number of characters)

difok

0

Minimum number of characters that must be different from the old password

retry

3

Maximum number of retries

Table 13. Default Account Lockout Policy for NSX

Method

Scope

Setting

Default

Description

API

NSX Local Manager

max-auth-failures

5

Maximum number of authentication failures before the account is locked

lockout-reset-period

180

Amount of time in seconds within which failed login attempts must occur to trigger a lockout

lockout-period

900

Amount of time in seconds that the account remains locked

CLI

  • NSX Local Manager

  • NSX Edge

max-auth-failures

5

Maximum number of authentication failures before the account is locked

lockout-period

900

Amount of time in seconds that the account remains locked

SDDC Manager

Table 14. Default Password Expiration Policy for SDDC Manager

Setting

Default

Description

Notes

maxdays

90

Maximum number of days between password change

VMware Cloud Foundation 4.5 and later

365

VMware Cloud Foundation 4.4 and later

mindays

0

Minimum number of days between password change.

-

warndays

7

Number of days of warning before a password expires

-

Table 15. Default Password Complexity Policy for SDDC Manager

Setting

Default

Description

dcredit

-1

Maximum number of digits that generate a credit

ucredit

-1

Maximum number of uppercase characters that generate a credit

lcredit

-1

Maximum number of lowercase characters that generate a credit

ocredit

-1

Maximum number of other characters that generate a credit

minlen

8

Minimum password length (number of characters)

minclass

4

Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)

difok

4

Minimum number of characters that must be different from the old password

retry

3

Maximum number of reties

maxsequence

0

Maximum number of times a single character can be repeated

remember

5

Maximum number of passwords the system remembers

Table 16. Default Account Lockout Policy for SDDC Manager

Setting

Default

Description

deny

3

Maximum number of authentication failures before the account is locked

unlock_time

86400

Amount of time in seconds that the account remains locked

root_unlock_time

300

Amount of time in seconds that the root account remains locked