Users in the local domain, vsphere.local by default, can change their vCenter Single Sign-On passwords from a Web interface. Users in other domains change their passwords following the rules for that domain.

About this task

The password policy that is defined in the vCenter Single Sign-On configuration interface determines when your password expires. By default, vCenter Single Sign-On passwords expire after 90 days, but your system administrator might change this default depending on the policy of your organization. The vSphere Web Client reminds you when your password is about to expire. You can reset an expired password if you know the old password.


You can change a password only if it is not expired.

If the password is expired, the administrator of the local domain, administrator@vsphere.local by default, can reset the password by using the dir-cli password reset command. Only members of the Administrator group for the vCenter Single Sign-On domain can reset passwords.


  1. From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.



    vSphere Web Client


    Platform Services Controller


    In an embedded deployment, the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.

    If you specified a different domain during installation, log in as administrator@mydomain.

  3. In the upper navigation pane, to the left of the Help menu, click your user name to pull down the menu.

    As an alternative, you can select Single Sign-On > Users and Groups and select Edit User from the right-button menu.

  4. Select Change Password and type your current password.
  5. Type a new password and confirm it.

    The password must conform to the password policy.

  6. Click OK.