Password restrictions, lockout, and expiration in your vSphere environment depend on the system that the user targets, who the user is, and how policies are set.

ESXi Passwords

ESXi password restrictions are determined by the Linux PAM module pam_passwdqc. See ESXi Passwords and Account Lockout.

Passwords for vCenter Server and Other vCenter Services

vCenter Single Sign-On manages authentication for all users who log in to vCenter Server and other vCenter services. The password restrictions, lockout, and expiration depend on the user's domain and on who the user is.


The password for administrator@vsphere.local user, or the administrator@mydomain user if you selected a different domain during installation, does not expire and is not subject to the lockout policy. In all other regards, the password must follows the restrictions set in the vCenter Single Sign-On password policy. See Edit the vCenter Single Sign-On Password Policy.

If you forget the password for this users, search the VMware Knowledge Base system for information on resetting this password.

Other vsphere.local users

The passwords for other vsphere.local users, or users of the local domain you specified during installation, must follow the restrictions set by the vCenter Single Sign-On password policy and lockout policy. See Edit the vCenter Single Sign-On Password Policy and Edit the vCenter Single Sign-On Lockout Policy. These passwords expire after 90 days by default, though administrators can change the expiration as part of the password policy.

If a user forgets their vsphere.local password, an administrator user can reset the password using the dir-cli command.

Other Users

Password restrictions, lockout, and expiration for all other users are determined by the domain (identity source) to which the user can authenticate.

vCenter Single Sign-On supports one default identity source, and users can log in to the vSphere Client with just their user names. The domain determines the password parameters. If users want to log in as a user in a non-default domain, they can include the domain name, that is, specify user@domain or domain\user. The domains password parameters apply in this case as well.

Passwords for vCenter Server Appliance Direct Console User Interface Users

The vCenter Server Appliance is a preconfigured Linux-based virtual machine, which is optimized for running vCenter Server and the associated services on Linux.

When you deploy the vCenter Server Appliance, you specify a password for the root user of the appliance Linux operating system and a password for the administrator@vsphere.local user. You can change the root user password and perform other vCenter Server Appliance local user management tasks from the Direct Console User Interface. See vCenter Server Appliance Configuration.