With VMware ESXi 6, password policy require to use more complex passwords. ESXi enforces password requirements for direct access from the DCUI, ESXi Shell, SSH, or the vSphere web Client. In previous versions of ESXi, password complexity changes had to be made by editing the /etc/pam.d/passwd file on each ESXi host.In vSphere 6.0 now this can be done by adding an entry in Host Advanced System Settings, enabling centrally managed setting changes for all hosts in a cluster.
When we create a password, we need to include a mix of characters from three or four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore.
The password policy in ESXi 6 has following requirements:
- Passwords must contain characters from at least three character classes.
- Passwords containing characters from three character classes must be at least seven characters long.
- Passwords containing characters from all four character classes must be at least seven characters long.
- An uppercase character that begins a password does not count toward the number of character classes used.
- A number that ends a password does not count toward the number of character classes used.
- The password cannot contain a dictionary word or part of a dictionary word.
We can change the default required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.
The default configuration ESXi 6 is “ESXi 6: retry=3 min=disabled,disabled,disabled,7,7″whereas in ESXi 5.5 it was
“ESXi 5: retry=3 min=8,8,8,7,6”
It means that passwords with one character class, two character classes and pass phases are not allowed, as indicated by the first three disabled items.
Passwords from three and four character classes require at least seven characters.
2 thoughts on “VMware ESXi 6 password policy”
is there a limitation of which special characters can be used?