VMware ESXi 6 password policy

With VMware ESXi 6, password policy require to use more complex passwords.  ESXi enforces password requirements for direct access from the DCUI, ESXi Shell, SSH, or the vSphere web Client. In previous versions of ESXi, password complexity changes had to be made by editing the /etc/pam.d/passwd file on each ESXi host.In vSphere 6.0 now this can be done by adding an entry in Host Advanced System Settings, enabling centrally managed setting changes for all hosts in a cluster.

When we create a password, we need to include a mix of characters from three or four character classes: lowercase letters, uppercase letters, numbers, and special characters such as underscore.

The password policy in ESXi 6 has following requirements:

  • Passwords must contain characters from at least three character classes.
  • Passwords containing characters from three character classes must be at least seven characters long.
  • Passwords containing characters from all four character classes must be at least seven characters long.
  • An uppercase character that begins a password does not count toward the number of character classes used.
  • A number that ends a password does not count toward the number of character classes used.
  • The password cannot contain a dictionary word or part of a dictionary word.

We can change the default required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option.

The default configuration ESXi 6 is “ESXi 6: retry=3 min=disabled,disabled,disabled,7,7″whereas in ESXi 5.5 it was

“ESXi 5: retry=3 min=8,8,8,7,6”

It means that passwords with one character class, two character classes and pass phases are not allowed, as indicated by the first three disabled items.

Passwords from three and four character classes require at least seven characters.

We can change this default settings, by using the Security.PasswordQualityControl advanced option for your ESXi host from the vSphere Web Client. A passphrase requires at least 3 words, can be 8 to 40 characters long, and must contain enough different characters.

2 thoughts on “VMware ESXi 6 password policy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.