ESXi Passwords and Account Lockout

For ESXi hosts, you have to use a password with predefined requirements. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.

ESXi uses the Linux PAM module pam_passwdqc for password management and control. See the manpages for pam_passwdqc for detailed information.

ESXi Passwords

ESXi enforces password requirements for direct access from the Direct Console User Interface, the ESXi Shell, SSH, or the vSphere Client. When you create a password, include a mix of characters from four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore or dash.

Note

An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

The password cannot contain a dictionary word or part of a dictionary word.

Example ESXi Passwords

The following password candidates illustrate potential passwords if the option is set to

retry=3 min=disabled,disabled,disabled,7,7

That means that passwords with one or two character classes and pass phases are not allowed, as indicated by the first three disabled items. Passwords from three and four character classes require seven characters. See the manpages for pam_passwdqc for detailed information.

The following passwords are allowed.

■	xQaTEhb!: Contains eight characters from three character classes.
■	xQaT3#A: Contains seven characters from four character classes.

The following password candidates do not meet ESXi requirements.

■	Xqat3h?: Begins with an uppercase character, reducing the effective number of character classes to two. The minimum number of supported character classes is three.
■	xQaTEh2: Ends with a number, reducing the effective number of character classes to two. The minimum number of supported character classes is three.

ESXi Pass Phrase

Instead of a password, you can also use a pass phrase, however, pass phrases are disabled by default. You can change this default or other settings, by using the Security.PasswordQualityControl advanced option for your ESXi host from the vSphere Web Client.

For example, you can change the option to the following:

retry=3 min=disabled,disabled,16,7,7

This example allows pass phrases of at least 16 characters and at least 3 words, separated by spaces.

Making changes to the /etc/pamd/passwd file is still supported for legacy hosts but is deprecated for future releases.

Changing Default Password Restrictions

You can change the default restriction on passwords or pass phrases by using the Security.PasswordQualityControl advanced option for your ESXi host. By default, this option is set as follows:

retry=3 min=disabled,disabled,disabled,7,7

You can change the default, for example, to require a minimum of 15 characters and a minimum number of four words, as follows:

retry=3 min=disabled,disabled,15,7,7 passphrase=4

See the manpage for pam_passwdqc for more information.

Note

Not all possible combinations of the options for pam_passwdqc have been tested. Perform additional testing after you make changes to the default password settings.

See the vCenter Server and Host Management documentation for information on setting ESXi advanced options.

ESXi Account Lockout Behavior

Starting with vSphere 6.0, account locking is supported for access through SSH and through the vSphere Web Services SDK. The Direct Console Interface (DCUI) and the ESXi Shell do not support account lockout. By default, a maximum of ten failed attempts is allowed before the account is locked. The account is unlocked after two minutes by default.

You can configure the login behavior with the following advanced options:

■	Security.AccountLockFailures. Maximum number of failed login attempts before a user's account is locked. Zero disables account locking.
■	Security.AccountUnlockTime. Number of seconds that a user is locked out.

See the vCenter Server and Host Management documentation for information on setting advanced options.