Site icon Virtual Maestro

ESXi 6.5 & later Password policy


In continuation to previous post on ESXi 6 password policy, Let us understand the changes (if any) in password policy in ESXi 6.5 and later. I have tried to simplify the ESXi password policy as much as possible.

ESXi uses the Linux PAM module pam_passwdqc for password management and control. We can change the required length, character class requirement, or allow pass phrases using the ESXi Advanced setting Security.PasswordQualityControl 

I will be using ESXi 6.7 from my test lab for this discussion.

Default settings for Security.PasswordQualityControl in ESXi 6.7 is as below.

As you can see, it is similar to that of what we had in ESXi 6.0 and its predecessor’s as well.

retry=3 min=disabled,disabled,disabled,7,7

Above setting can also be written as

retry=3 min=8,8,8,7,7

The above statement also has the same meaning as first entry as

(disabled = 8).

In above setting, Minimum requirement for password is denoted by five place holders (after min=) namely disabled, disabled, disabled, 7, and 7.

What does these placeholders mean?

So to put it in simple words, ESXi password cannot contain characters from only one class or only two classes. Also by default, pass phrases are disabled as in above format. That is what the meaning of first three disabled words.

Password is allowed to be created from either three character classes or four character classes. Thats fourth and fifth place holder respectively with below requirement of characters

Password from three character classes requires minimum character length of 7.

Password from four different character classes require minimum number of character required is same as that of three character classes i.e. 7.

What character classes are we referring to?

What are the default settings?

Other rules to be considered

I hope this clears on how ESXi password policy works. If still not clear check with below examples.

retry=3 min=disabled,disabled,10,7,7

retry=3 min=disabled,14,disabled,7,7

Feel free to comment if you still have any query.

Be social and share if you like the post.

Exit mobile version