For ESXi hosts, you must use a password with predefined requirements. You can change the required password length, character class requirements,
or allow passphrases, all using the Security.PasswordQualityControl advanced option. You can also set the number of passwords to remember for each user using the Security.PasswordHistory advanced option. The Security.PasswordMaxDays advanced option allows you to set up the maximum number of days between password changes. Note: Always perform
additional testing after you change the default password settings. If you attempt to log in with incorrect credentials, the account lockout policy specifies when and for how long the system locks your account. ESXi enforces password requirements for access. Note: An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used. The following password candidates illustrate potential passwords if the option is set as follows: With this setting, a user is prompted up to three times (retry=3) for a new password that is not sufficiently strong or if the password was not entered correctly twice. Passwords with one or two character classes and password phrases are not allowed, because the first three items are disabled. Passwords from three and four character classes require 7 characters. The following password candidates meet the password requirements: The following password candidates
do not meet the password requirements: You can control the quality of passwords by using the Security.PasswordQualityControl advanced option.
Password Quality Control
Security.PasswordQualityControl consists of several settings that follow the pattern:
retry=N min=N0,N1,N2,N3,N4 max=N passphrase=N similar=permit|denyretry=N | The number of times the user must provide a new password if the password is incorrect or not sufficiently strong. | retry=3 |
min=N0,N1,N2,N3,N4 | Character class and the passphrase minimum length requirement.
| min=disabled,disabled,disabled,7,7 |
max=N | The maximum allowed password length. | max=40 |
passphrase=N | The number of words required for a passphrase. To make sure that the passphrase is recognized, do not set N2 from the min setting to disabled. | passphrase=3 |
similar=permit|deny | Indicates whether a password is allowed to be similar to the old password. To use this setting, make sure that you set the Security.PasswordHistory option to a non-zero value. | similar=deny |
Instead of a password, you can use a passphrase. Passphrases are disabled by default. You can change the default setting by using the Security.PasswordQualityControl advanced option.
For example, you can change the option to the following.
retry=3 min=disabled,disabled,16,7,7This example allows passphrases of at least 16 characters. The passphrase must consist of at least 3 words, separated by spaces.
Example Password History and Rotation PolicyTo remember a history of 5 passwords, set the Security.PasswordHistory option to 5.
To enforce a 90 day password rotation policy, set the Security.PasswordMaxDays option to 90.
ESXi Account Lockout PolicyUsers are locked out after a preset number of consecutive failed attempts. By default, users are locked out after 5 consecutive failed attempts in 3 minutes and a locked account is unlocked automatically after 15 minutes by default. You can change the maximum allowed failed attempts and the period of time in which the user account is locked out by using the Security.AccountLockFailures and Security.AccountUnlockTime advanced options.
To configure the administrator passwords and account lockout behaviour, perform the following steps.
Procedure
- Click Manage in the
VMware Host Client inventory and click Advanced Settings.
Option
Action
Configure the required password length, character class requirement, or allow passphrases
Enter Security.PasswordQualityControl in the Search text box and click the Search icon.
Right-click Security.PasswordQualityControl and select Edit option from the drop-down menu.
Configure the number of passwords to remember for each user
Enter Security.PasswordHistory in the Search text box and click the Search icon.
Right-click Security.PasswordHistory and select Edit option from the drop-down menu.
Note:
Zero deactivates password history.
Configure the maximum number of days between password changes
Enter Security.PasswordMaxDays in the Search text box and click the Search icon.
Right-click Security.PasswordMaxDays and select Edit option from the drop-down menu.
Configure the number of failed login attempts allowed before lockout
Enter Security.AccountLockFailures in the Search text box and click the Search icon.
Right-click Security.AccountLockFailures and select Edit option from the drop-down menu.
Note:
Zero (0) deactivates account locking.
Configure the period of time in which the user's account is locked out
Enter Security.AccountUnlockTime in the Search text box and click the Search icon.
Right-click Security.AccountUnlockTime and select Edit option from the drop-down menu.
The Edit option dialog box opens.
- In the New value text box, enter the new setting.
- Click Save.
- (Optional) To reset the key setting to default, right-click the appropriate key from the list and select Reset to default.