For ESXi hosts, you must use a password with predefined requirements. You can change the required length and the character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced system setting. You can also set the number of passwords to remember for each user using the Security.PasswordHistory advanced system setting.

Note: The default requirements for ESXi passwords can change from one release to the next. You can check and change the default password restrictions by using the Security.PasswordQualityControl advanced system setting.

ESXi Passwords

ESXi enforces password requirements for access from the Direct Console User Interface, the ESXi Shell, SSH, or the VMware Host Client.

  • By default, you must include a mix of at least three from the following four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash when you create a password.
  • By default, password length is at least 7 characters and less than 40.
  • Passwords must not contain a dictionary word or part of a dictionary word.
  • Passwords must not contain the user name or parts of the user name.
Note: An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used. A dictionary word used inside a password reduces the overall password strength.

Example ESXi Passwords

The following password candidates illustrate potential passwords if the option is set as follows.
retry=3 min=disabled,disabled,disabled,7,7
With this setting, a user is prompted up to three times (retry=3) for a new password that is not sufficiently strong or if the password was not entered correctly twice. Passwords with one or two character classes and pass phrases are not allowed, because the first three items are deactivated. Passwords from three- and four-character classes require seven characters. See the pam_passwdqc man page for details on other options, such as max, passphrase, and so on.
With these settings, the following passwords are allowed.
  • xQaTEhb!: Contains eight characters from three character classes.
  • xQaT3#A: Contains seven characters from four character classes.
The following password candidates do not meet requirements.
  • Xqat3hi: Begins with an uppercase character, reducing the effective number of character classes to two. The minimum number of required character classes is three.
  • xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum number of required character classes is three.

ESXi Pass Phrase

Instead of a password, you can also use a pass phrase. However, pass phrases are deactivated by default. You can change the default setting and other settings by using the Security.PasswordQualityControl advanced system setting from the vSphere Client.

For example, you can change the option to the following.

retry=3 min=disabled,disabled,16,7,7

This example allows pass phrases of at least 16 characters and at least three words.

For legacy hosts, changing the /etc/pam.d/passwd file is still supported, but changing the file is deprecated for future releases. Use the Security.PasswordQualityControl advanced system setting instead.

Changing Default Password Restrictions

You can change the default restriction on passwords or pass phrases by using the Security.PasswordQualityControl advanced system setting for your ESXi host. See the vCenter Server and Host Management documentation for information on changing ESXi advanced system settings.

You can change the default, for example, to require a minimum of 15 characters and a minimum number of four words ( passphrase=4), as follows:
retry=3 min=disabled,disabled,15,7,7 passphrase=4
See the man page for pam_passwdqc for details.
Note: Not all possible combinations of password options have been tested. Perform testing after you change the default password settings.

This example sets the password complexity requirement to require eight characters from four character classes that enforce a significant password difference, a remembered history of five passwords, and a 90 day rotation policy:

min=disabled,disabled,disabled,disabled,8 similar=deny

Set the Security.PasswordHistory option to 5 and the Security.PasswordMaxDays option to 90.

ESXi Account Lockout Behavior

Account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of five failed attempts is allowed before the account is locked. The account is unlocked after 15 minutes by default.

Configuring Login Behavior

You can configure the login behavior for your ESXi host with the following advanced system settings:
  • Security.AccountLockFailures. Maximum number of failed login attempts before a user's account is locked. Zero deactivates account locking.
  • Security.AccountUnlockTime. Number of seconds that a user is locked out.
  • Security.PasswordHistory. Number of passwords to remember for each user. Zero deactivates password history.

See the vCenter Server and Host Management documentation for information on setting ESXi advanced options.