To manage your environment, you must be aware of the vCenter Single Sign-On password policy, of vCenter Server passwords, and of lockout behavior.

vCenter Single Sign-On Administrator Password

The password for administrator@vsphere.local must meet the following requirements:
  • At least 8 characters
  • At least one lowercase character
  • At least one numeric character
  • At least one special character

The password for administrator@vsphere.local cannot be more than 20 characters long. Only visible ASCII characters are allowed. That means, for example, that you cannot use the space character.

vCenter Server Passwords

In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP, or the local operating system for the vCenter Single Sign-On server (not recommended).

Lockout Behavior

Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after five consecutive failed attempt in three minutes and a locked account is unlocked automatically after five minutes. You can change these defaults using the lockout policy. See Edit the vCenter Single Sign-On Lockout Policy.

Starting with vSphere 6.0, the system domain administrator, administrator@vsphere.local by default, is not affected by the lockout policy.

Any user can change their password by using the dir-cli password change command. If a user forgets the password, the administrator can reset the password by using the dir-cli password reset command.

See ESXi Passwords and Account Lockout for a discussion of passwords of ESXi local users.