To manage your vSphere environment, you must be aware of the vCenter Single Sign-On password policy, of vCenter Server passwords, and of lockout behavior.
This section discusses vCenter Single Sign-On passwords. See ESXi Passwords and Account Lockout for a discussion of passwords of ESXi local users.
vCenter Single Sign-On Administrator Password
The password for the administrator of vCenter Single Sign-On, [email protected] by default, is specified by the vCenter Single Sign-On password policy. By default, this password must meet the following requirements:
- At least eight characters
- At least one lowercase character
- At least one numeric character
- At least one special character
The password for this user cannot be more than 20 characters long. Non-ASCII characters are allowed. Administrators can change the default password policy. See the vSphere Authentication documentation.
vCenter Server Passwords
In vCenter Server, password requirements are dictated by vCenter Single Sign-On or by the configured identity source, which can be Active Directory, OpenLDAP.
vCenter Single Sign-On Lockout Behavior
Users are locked out after a preset number of consecutive failed attempts. By default, users are locked out after five consecutive failed attempts in three minutes and a locked account is unlocked automatically after five minutes. You can change these defaults using the vCenter Single Sign-On lockout policy. See the vSphere Authentication documentation.
The vCenter Single Sign-On domain administrator, [email protected] by default, is not affected by the lockout policy. The user is affected by the password policy.
Password Changes
If you know your password, you can change the password by using the dir-cli password change command. If you forget your password, a vCenter Single Sign-On administrator can reset your password by using the dir-cli password reset command.
Search the VMware Knowledge Base for information on password expiration and related topics in different versions of vSphere.
