To manage your environment, you must be aware of the vCenter Single Sign-On password policy, of vCenter Server passwords, and of lockout behavior.
vCenter Single Sign-On Administrator Password
The password for firstname.lastname@example.org must meet the following requirements:
At least 8 characters
At least one lowercase character
At least one numeric character
At least one special character
The password for email@example.com cannot be more than 20 characters long. Only visible ASCII characters are allowed. That means, for example, that you cannot use the space character.
vCenter Server Passwords
In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP, or the local operating system for the vCenter Single Sign-On server (not recommended).
Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after five consecutive failed attempt in three minutes and a locked account is unlocked automatically after five minutes. You can change these defaults using the lockout policy. See Edit the vCenter Single Sign-On Lockout Policy.
Starting with vSphere 6.0, the system domain administrator, firstname.lastname@example.org by default, is not affected by the lockout policy.
Any user can change their password by using the dir-cli password change command. If a user forgets the password, the administrator can reset the password by using the dir-cli password reset command.
See ESXi Passwords and Account Lockout for a discussion of passwords of ESXi local users.