Appendix: Default Password Policy Settings for Identity and Access Management for VMware Cloud Foundation

The appendix aggregates the default password policy settings for each product within the Identity and Access Management for VMware Cloud Foundation validated solution. You can use this password policy settings list for reference when you perform password management.

ESXi Hosts

Table 1. Default Password Expiration Policy for ESXi Hosts
Setting	Default	Description
`Security.PasswordMaxDays`	99999 (never)	Maximum number of days before password expiration

Table 2. Default Password Complexity Policy for ESXi Hosts
Setting	Default	Description
`Security.PasswordQualityControl`	`retry=3 min=disabled,disabled,disabled,7,7`	Maximum number of retries Required character classes Minimum password length (characters)
`Security.PasswordHistory`	`0`	Maximum number of passwords that the system remembers

Table 3. Default Account Lockout Policy for ESXi Hosts
Setting	Default	Description
`Security.AccountLockFailures`	`5`	Maximum number of authentication failures before the account is locked
`Security.AccountUnlockTime`	`900`	Amount of time in seconds that the account remains locked

vCenter Server

Table 4. Default Global Password Expiration Policy for vCenter Server
Setting	Default	Description
Maximum (days)	`90`	Maximum number of days between password change
Minimum (days)	`0`	Minimum number of days between password change
Warning	`7`	Number of days of warning before a password expires

Table 5. Default Local User Password Expiration Policy for vCenter Server
Setting	Default	Description
Password Expires	Yes	The virtual appliance root password is set to expire
Password validity	`90`	Maximum number of days before password expiration
Email for expiration warning	-	Email for password expiration warnings
Warning (days)	`7`	Number of days of warning before a password expires

Table 6. Default Local User Password Complexity Policy for vCenter Server
Setting	Default	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`6`	Minimum password length (number of characters)
`difok`	`4`	Minimum number of characters that must be different from the old password
`remember`	`5`	Maximum number of passwords that the system remembers

Table 7. Default Account Lockout Policy for vCenter Server
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before account is locked
`unlock_time`	`900`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`300`	Amount of time in seconds that the root account remains locked

Table 8. Default Password Expiration Policy for vCenter Single Sign-On
Setting	Default	Description
Maximum lifetime	`90`	Maximum number of days before expiration

Table 9. Default Password Complexity Policy for vCenter Single Sign-On
Setting	Default	Description
Restrict reuse	`5`	Number of previous passwords that cannot be reused
Maximum length	`20`	Maximum password length (number of characters)
Minimum length	`8`	Minimum password length (number of characters)
Special characters	`1`	Minimum number of special characters
Alphabetic characters	`2`	Minimum number of alphabetic characters
Uppercase characters	`1`	Minimum number of uppercase characters
Lowercase characters	`1`	Minimum number of lowercase characters
Numeric characters	`1`	Minimum number of numeric characters
Identical adjacent characters	`1`	Maximum number of identical adjacent characters

Table 10. Default Account Lockout Policy for vCenter Single Sign-On
Setting	Default	Description
Maximum number of failed login attempts	`5`	Maximum number of authentication failures before the account is locked
Time interval between failures	`180`	Amount of time in seconds within which failed login attempts must occur to trigger a lockout
Unlock time	`900`	Amount of time in seconds that the account remains locked. If you set it to 0, the administrator must unlock the account explicitly.

NSX

Table 11. Default Password Expiration Policy for NSX Local Manager Clusters and NSX Edge Nodes
Setting	Default	Description
`maxdays`	`90`	Maximum number of days between password change

Table 12. Default Password Complexity Policy for NSX Local Manager Clusters and NSX Edge Nodes
Setting	Default	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`15`	Minimum password length (number of characters)
`difok`	`0`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of retries

Table 13. Default Account Lockout Policy for NSX
Method	Scope	Setting	Default	Description
API	NSX Local Manager	`max-auth-failures`	`5`	Maximum number of authentication failures before the account is locked
		`lockout-reset-period`	`180`	Amount of time in seconds within which failed login attempts must occur to trigger a lockout
		`lockout-period`	`900`	Amount of time in seconds that the account remains locked
CLI	NSX Local Manager NSX Edge	`max-auth-failures`	`5`	Maximum number of authentication failures before the account is locked
CLI	NSX Local Manager NSX Edge	`lockout-period`	`900`	Amount of time in seconds that the account remains locked

SDDC Manager

Table 14. Default Password Expiration Policy for SDDC Manager
Setting	Default	Description	Notes
`maxdays`	`90`	Maximum number of days between password change	VMware Cloud Foundation 4.5 and later
`maxdays`	`365`	Maximum number of days between password change	VMware Cloud Foundation 4.4 and later
`mindays`	`0`	Minimum number of days between password change.	-
`warndays`	`7`	Number of days of warning before a password expires	-

Table 15. Default Password Complexity Policy for SDDC Manager
Setting	Default	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`8`	Minimum password length (number of characters)
`minclass`	`4`	Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)
`difok`	`4`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of reties
`maxsequence`	`0`	Maximum number of times a single character can be repeated
`remember`	`5`	Maximum number of passwords the system remembers

Table 16. Default Account Lockout Policy for SDDC Manager
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before the account is locked
`unlock_time`	`86400`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`300`	Amount of time in seconds that the root account remains locked