In continuation to previous post on ESXi 6.5 password policy, Let us understand the changes (if any) in password policy in ESXi 7. I have tried to simplify the ESXi password policy as much as possible.
ESXi uses the Linux PAM module pam_passwdqc for password management and control. We can change the required length, character class requirement, or allow pass phrases using the ESXi Advanced setting Security.PasswordQualityControl
Default settings for Security.PasswordQualityControl in ESXi 7 is as below. There are some options added into this version for password management including password history and password age in number of days.
As you can see, it is similar to that of what we had in ESXi 6.x and its predecessor’s as well.
retry=3 min=disabled,disabled,disabled,7,7
Above setting can also be written as
retry=3 min=8,8,8,7,7
The above statement also has the same meaning as first entry as
(disabled = 8).
In above setting, Minimum requirement for password is denoted by five place holders (after min=) namely disabled, disabled, disabled, 7, and 7.
What does these placeholders mean?
- disabled
- Number of minimum characters required if the password contains only one character class
- disabled
- Number of minimum characters required if the password contains characters from two character classes
- disabled
- Number of minimum characters required if the password contains a phrase
- 7
- Number of minimum characters required if the password contains characters from three character classes
- 7
- Number of characters required if the password contains characters from four character classes
So to put it in simple words, ESXi password cannot contain characters from only one class or only two classes. Also by default, pass phrases are disabled as in above format. That is what the meaning of first three disabled words.
Password is allowed to be created from either three character classes or four character classes. Thats fourth and fifth place holder respectively with below requirement of characters
Password from three character classes requires minimum character length of 7.
Password from four different character classes require minimum number of character required is same as that of three character classes i.e. 7.
What character classes are we referring to?
- Lowercase letters
- Uppercase letters
- Numbers
- Special characters (e.g. _ or -)
What are the default settings?
- By default, mix of characters from four character classes is used when creating a password.
- By default, password length should be more than 7 and less than 40.
- Passwords cannot contain a dictionary word or part of a dictionary word.
Other rules to be considered
- An uppercase character that begins a password does not count toward the number of character classes used.
- A number that ends a password does not count toward the number of character classes used.
I hope this clears on how ESXi password policy works. If still not clear check with below examples.
- Modify policy to allow passphrase with minimum of 10 characters along with other defaults.
retry=3 min=disabled,disabled,10,7,7
- Modify policy to allow password from two character classes with minimum character length of 14 along with other defaults.
retry=3 min=disabled,14,disabled,7,7
Feel free to comment if you still have any query.
Be social and do share if you like the post.
I updated the ESXi & vcenter from 6.5 to 7 and noticed the Security.PasswordQualityControl value is reset to defaults. Did anyone else noticed this?
HI Abhijeet D,
I would like to set password to have 4 classes with 15 characters long password.
What could be the correct password policy I can edit ?
try this:
retry=3 min=15,1,1,1,1
This policy requires a minimum password length of 15 characters, with at least one character from each of the following character classes: uppercase letters, lowercase letters, numbers, and special characters. The fifth value of 1 indicates that there is no specific minimum requirement for any additional character classes beyond the first four.