When you add a host to the vCenter Server inventory, vCenter Server creates a special user account called vpxuser on the host. vpxuser is a privileged account that acts as a proxy for all actions initiated through vCenter Server. Ensure that the default settings for the vpxuser password meet the requirements of your organization's password policy.

By default, vCenter Server generates a new vpxuser password every 30 days using OpenSSL crypto libraries as a source of randomness. The password is 32 characters long and is guaranteed to contain at least one symbol from four character classes: symbols (-./:=@[\\]^_{}~), digits (1-9), uppercase letters, and lowercase letters. Ensuring that the password expires periodically limits the amount of time an attacker can use the vpxuser password if it is compromised.

You can change the default value for password expiration and for password length to meet your password policy. Using shorter passwords and allowing less frequent password changes makes your environment less secure.
Important: To preclude the possibility that vCenter Server is locked out of the ESXi host, the password aging policy must not be shorter than the interval that is set to automatically change the vpxuser password.


  1. To change the password length policy, edit the vpxd.hostPasswordLength parameter in the vCenter Server configuration file on the system where vCenter Server is running.
    Operating System Default Location
    Windows C:\Documents and Settings\All Users\Application Data\VMware VirtualCenter\vpxd.cfg
    Linux /etc/vmware-vpx/vpxd.cfg
  2. To change the password aging requirement, use the Advanced Settings dialog box in the vSphere Web Client.
    1. Browse to the vCenter Server system in the vSphere Web Client inventory.
    2. Click the Manage tab and click Settings.
    3. Select Advanced Settings
    4. Click Edit and locate the VirtualCenter.VimPasswordExpirationInDays parameter.
    5. Type the new value and click OK.
  3. Restart vCenter Server.