The vCenter Single Sign-On password policy determines the password format and password expiration. Password policy applies only to users in the vCenter Single Sign-On domain (vsphere.local).

By default, vCenter Single Sign-On built-in user account passwords expire after 90 days. The vSphere Client reminds you when your password is about to expire.

See Change Your vCenter Single Sign-On Password.
Note: The administrator account (administrator@vsphere.local) does not get locked out nor does its password expire. Proper security practice is to audit logins from this account and rotate the password regularly.


  1. Log in with the vSphere Client to the vCenter Server.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
    If you specified a different domain during installation, log in as administrator@ mydomain.
  3. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Single Sign On, click Configuration.
  4. Click the Local Accounts tab.
  5. Click Edit for the Password Policy row.
  6. Edit the password policy.
    Option Description
    Description Password policy description.
    Maximum lifetime Maximum number of days that a password is valid before the user must change it. The maximum number of days you can enter is 999999999. A value of zero (0) means that the password never expires.
    Restrict reuse Number of previous passwords that cannot be reused. For example, if you enter 6, the user cannot reuse any of the last six passwords.
    Maximum length Maximum number of characters that are allowed in the password.
    Minimum length Minimum number of characters required in the password. The minimum length must be no less than the combined minimum of alphabetic, numeric, and special character requirements.
    Character requirements
    Minimum number of different character types that are required in the password. You can specify the number of each type of character, as follows:
    • Special: & # %
    • Alphabetic: A b c D
    • Uppercase: A B C
    • Lowercase: a b c
    • Numeric: 1 2 3
    • Identical Adjacent: The number must be greater than 0. For example, if you enter 1, the following password is not allowed: p@$$word.

    The minimum number of alphabetic characters must be no less than the combined uppercase and lowercase characters.

    Non-ASCII characters are supported in passwords. In earlier versions of vCenter Single Sign-On, limitations on supported characters exist.

    Note: The password policy picks up the maximum length value only if the minimum length is greater than 20 characters. The behavior of the password policy is undefined or could result in failure of services when the minimum length value is greater than 20 characters and the maximum length is set to any value. To avoid a potential problem, leave the minimum length set to the default value of 8 characters, or no greater than 20 characters.
  7. Click Save.