For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.
ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the VMware Host Client.
- By default, you have to include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash when you create a password.
- By default, password length is more than 7 and less than 40.
- Passwords cannot contain a dictionary word or part of a dictionary word.
Example ESXi Passwords
retry=3 min=disabled,disabled,disabled,7,7With this setting, passwords with one or two character classes and pass phrases are not allowed, because the first three items are disabled. Passwords from three- and four-character classes require seven characters. See the pam_passwdqc man page for details.
- xQaTEhb!: Contains eight characters from three character classes.
- xQaT3#A: Contains seven characters from four character classes.
- Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two. The minimum number of required character classes is three.
- xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum number of required character classes is three.
ESXi Pass Phrase
Instead of a password, you can also use a pass phrase. However, pass phrases are disabled by default. You can change this default or other settings, by using the Security.PasswordQualityControl advanced option from the vSphere Client.
For example, you can change the option to the following.
This example allows pass phrases of at least 16 characters and at least three words, separated by spaces.
For legacy hosts, changing the /etc/pamd/passwd file is still supported, but changing the file is deprecated for future releases. Use the Security.PasswordQualityControl advanced option instead.
Changing Default Password Restrictions
You can change the default restriction on passwords or pass phrases by using the Security.PasswordQualityControl advanced option for your ESXi host. See vCenter Server and Host Management documentation for information on setting ESXi advanced options.
retry=3 min=disabled,disabled,15,7,7 passphrase=4See the man page for pam_passwdqc for details.
ESXi Account Lockout Behavior
Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.
Configuring Login Behavior
- Security.AccountLockFailures. Maximum number of failed login attempts before a user's account is locked. Zero disables account locking.
- Security.AccountUnlockTime. Number of seconds that a user is locked out.
See the vCenter Server and Host Management documentation for information on setting ESXi advanced options.