For ESXi hosts, you must use a password with predefined requirements. You can change the required password length, character class requirements, or allow passphrases, all using the Security.PasswordQualityControl advanced option. You can also set the number of passwords to remember for each user using the Security.PasswordHistory advanced option. The Security.PasswordMaxDays advanced option allows you to set up the maximum number of days between password changes.

Note: Always perform additional testing after you change the default password settings.

If you attempt to log in with incorrect credentials, the account lockout policy specifies when and for how long the system locks your account.

ESXi Passwords

ESXi enforces password requirements for access.

  • By default, when you create a password, you must include a mix of characters from any three of the following four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.
  • By default, the password must contain a length of at least 7 characters and a maximum of 40 characters.
  • Passwords must not contain a dictionary word or part of a dictionary word.
  • Passwords must not contain the user name or parts of the user name.
Note:

An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

Example of ESXi Passwords

The following password candidates illustrate potential passwords if the option is set as follows:

retry=3 min=disabled,disabled,disabled,7,7

With this setting, a user is prompted up to three times (retry=3) for a new password that is not sufficiently strong or if the password was not entered correctly twice. Passwords with one or two character classes and password phrases are not allowed, because the first three items are deactivated. Passwords from three and four character classes require 7 characters.

The following password candidates meet the password requirements:

  • xQaTEhb!: Contains eight characters from three character classes.
  • xQaT3#A: Contains seven characters from four character classes.

The following password candidates do not meet the password requirements:

  • Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two. The minimum number of required character classes is three.
  • xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum number of required character classes is three.
Password Quality Control

You can control the quality of passwords by using the Security.PasswordQualityControl advanced option.

Security.PasswordQualityControl consists of several settings that follow the pattern:

retry=N min=N0,N1,N2,N3,N4 max=N passphrase=N similar=permit|deny
Password Quality Control Settings Description Default
retry=N The number of times the user must provide a new password if the password is incorrect or not sufficiently strong. retry=3
min=N0,N1,N2,N3,N4 Character class and the passphrase minimum length requirement.
  • N0 is minimum length of passwords from a single character class.
  • N1 is minimum length of passwords from two character classes.
  • N2 is minimum length for a passphrase.
  • N3 is minimum length for three character classes.
  • N4 is minimum length for four character classes.
You can use disabled to disallow a password with the specified number of character classes.
min=disabled,disabled,disabled,7,7
max=N The maximum allowed password length. max=40
passphrase=N The number of words required for a passphrase. To make sure that the passphrase is recognized, do not set N2 from the min setting to disabled. passphrase=3
similar=permit|deny Indicates whether a password is allowed to be similar to the old password. To use this setting, make sure that you set the Security.PasswordHistory option to a non-zero value. similar=deny
ESXi Passphrase

Instead of a password, you can use a passphrase. Passphrases are deactivated by default. You can change the default setting by using the Security.PasswordQualityControl advanced option.

For example, you can change the option to the following.

retry=3 min=disabled,disabled,16,7,7

This example allows passphrases of at least 16 characters. The passphrase must consist of at least 3 words, separated by spaces.

Example Password History and Rotation Policy

To remember a history of 5 passwords, set the Security.PasswordHistory option to 5.

To enforce a 90 day password rotation policy, set the Security.PasswordMaxDays option to 90.

ESXi Account Lockout Policy

Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after 5 consecutive failed attempts in 3 minutes and a locked account is unlocked automatically after 15 minutes by default. You can change the maximum allowed failed attempts and the period of time in which the user account is locked out by using the Security.AccountLockFailures and Security.AccountUnlockTime advanced options.

To configure the administrator passwords and account lockout behaviour, perform the following steps.

Procedure

  1. Click Manage in the VMware Host Client inventory and click Advanced Settings.

    Option

    Action

    Configure the required password length, character class requirement, or allow passphrases

    1. Enter Security.PasswordQualityControl in the Search text box and click the Search icon.

    2. Right-click Security.PasswordQualityControl and select Edit option from the drop-down menu.

    Configure the number of passwords to remember for each user

    1. Enter Security.PasswordHistory in the Search text box and click the Search icon.

    2. Right-click Security.PasswordHistory and select Edit option from the drop-down menu.

      Note:

      Zero deactivates password history.

    Configure the maximum number of days between password changes

    1. Enter Security.PasswordMaxDays in the Search text box and click the Search icon.

    2. Right-click Security.PasswordMaxDays and select Edit option from the drop-down menu.

    Configure the number of failed login attempts allowed before lockout

    1. Enter Security.AccountLockFailures in the Search text box and click the Search icon.

    2. Right-click Security.AccountLockFailures and select Edit option from the drop-down menu.

      Note:

      Zero (0) deactivates account locking.

    Configure the period of time in which the user's account is locked out

    1. Enter Security.AccountUnlockTime in the Search text box and click the Search icon.

    2. Right-click Security.AccountUnlockTime and select Edit option from the drop-down menu.

    The Edit option dialog box opens.

  2. In the New value text box, enter the new setting.
  3. Click Save.
  4. (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.