To manage your vSphere environment, you must be aware of the vCenter Single Sign-On password policy, of vCenter Server passwords, and of lockout behavior.
This section discusses vCenter Single Sign-On passwords. See ESXi Passwords and Account Lockout for a discussion of passwords of ESXi local users.
vCenter Single Sign-On Administrator Password
The password for the administrator of vCenter Single Sign-On, email@example.com by default, is specified by the vCenter Single Sign-On password policy. By default, this password must meet the following requirements:
- At least eight characters
- At least one lowercase character
- At least one numeric character
- At least one special character
The password for this user cannot be more than 20 characters long. Non-ASCII characters are allowed. Administrators can change the default password policy. See the vSphere Authentication documentation.
vCenter Server Passwords
In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP.
vCenter Single Sign-On Lockout Behavior
Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after five consecutive failed attempts in three minutes and a locked account is unlocked automatically after five minutes. You can change these defaults using the vCenter Single Sign-On lockout policy. See the vSphere Authentication documentation.
The vCenter Single Sign-On domain administrator, firstname.lastname@example.org by default, is not affected by the lockout policy. The user is affected by the password policy.
If you know your password, you can change the password by using the dir-cli password change command. If you forget your password, a vCenter Single Sign-On administrator can reset your password by using the dir-cli password reset command.
Search the VMware Knowledge Base for information on password expiration and related topics in different versions of vSphere.