Password restrictions, lockout, and expiration in your vSphere environment depend on the system that the user targets, who the user is, and how policies are set.

ESXi Passwords

ESXi password restrictions are determined by the Linux PAM module pam_passwdqc. See the Linux manpage for pam_passwdqc and see ESXi Passwords and Account Lockout.

Passwords for vCenter Server and Other vCenter Services

vCenter Single Sign-On manages authentication for all users who log in to vCenter Server and other vCenter services. The password restrictions, lockout, and expiration depend on the user's domain and on who the user is.

vCenter Single Sign-On Administrator

The password for the vCenter Single Sign-On administrator is administrator@vsphere.local by default or administrator@mydomain if you specified a different domain during installation. This password does not expire. In all other regards, the password must follow the restrictions that are set in the vCenter Single Sign-On password policy. See Platform Services Controller Administration for details.

If you forget the password for this user, search the VMware Knowledge Base system for information on resetting this password. The reset requires additional privileges such as root access to the vCenter Server system.

Other Users of the vCenter Single Sign-On Domain

Passwords for other vsphere.local users, or users of the domain that you specified during installation, must follow the restrictions set by the vCenter Single Sign-On password and lockout policies. See Platform Services Controller Administration for details. These passwords expire after 90 days by default, though administrators can change the expiration as part of the password policy.

If you forget your vsphere.local password, an administrator user can reset the password using the dir-cli command.

Other Users

Password restrictions, lockout, and expiration for all other users are determined by the domain (identity source) to which the user can authenticate.

vCenter Single Sign-On supports one default identity source, and users can log in to the corresponding domain with the vSphere Web Client with just their user names. If users want to log in to a non-default domain, they can include the domain name, that is, specify user@domain or domain\user. The domain password parameters apply to each domain.

Passwords for vCenter Server Appliance Direct Console User Interface Users

The vCenter Server Appliance is a preconfigured Linux-based virtual machine that is optimized for running vCenter Server and the associated services on Linux.

When you deploy the vCenter Server Appliance, you specify these passwords.

  • Password for the root user of the appliance Linux operating system.

  • Password for the administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default.

You can change the root user password and perform other vCenter Server Appliance local user management tasks from the appliance console. See vCenter Server Appliance Configuration.