Password restrictions, password expiration, and account lockout in your vSphere environment depend on the system that the user targets, who the user is, and how policies are set.

ESXi Passwords

ESXi password restrictions are determined by certain requirements. See ESXi Passwords and Account Lockout.

Passwords for vCenter Server and Other vCenter Services

vCenter Single Sign-On manages authentication for all users who log in to vCenter Server and other vCenter services. The password restrictions, password expiration, and account lockout depend on the user's domain and on who the user is.
vCenter Single Sign-On Administrator
The password for the [email protected] user, or the administrator@ mydomain user if you selected a different domain during installation, does not expire and is not subject to the lockout policy. In all other regards, the password must follow the restrictions that are set in the vCenter Single Sign-On password policy. See vSphere Authentication for details.
If you forget the password for this user, search the VMware Knowledge Base system for information on resetting this password. The reset requires additional privileges such as root access to the vCenter Server system.
Other Users of the vCenter Single Sign-On Domain
Passwords for other vsphere.local users, or users of the domain that you specified during installation, must follow the restrictions that are set by the vCenter Single Sign-On password policy and lockout policy. See vSphere Authentication for details. These passwords expire after 90 days by default. Administrators can change the expiration as part of the password policy.
If you forget your vsphere.local password, an administrator user can reset the password using the dir-cli command.
Other Users
Password restrictions, password expiration, and account lockout for all other users are determined by the domain (identity source) to which the user can authenticate.
vCenter Single Sign-On supports one default identity source. Users can log in to the corresponding domain with the vSphere Client with their user names. If users want to log in to a non-default domain, they can include the domain name, that is, specify user@ domain or domain\ user. The domain password parameters apply to each domain.

Passwords for vCenter Server Direct Console User Interface Users

The vCenter Server appliance is a preconfigured virtual machine that is optimized for running vCenter Server and the associated services.

When you deploy the vCenter Server, you specify these passwords.
  • Password for the root user.
  • Password for the administrator of the vCenter Single Sign-On domain, [email protected] by default.
You can change the root user password and perform other vCenter Server local user management tasks from the vCenter Server Management Interface. See vCenter Server Configuration.