Users in the local domain, vsphere.local by default, can change their vCenter Single Sign-On passwords from the vSphere Client. Users in other domains change their passwords following the rules for that domain.
The vCenter Single Sign-On lockout policy determines when your password expires. By default, vCenter Single Sign-On passwords expire after 90 days, but administrator passwords such as the password for administrator@vsphere.local do not expire. vCenter Single Sign-On management interfaces show a warning when your password is about to expire.
If the password is expired, the administrator of the local domain, administrator@vsphere.local by default, can reset the password by using the dir-cli password reset command. Only members of the Administrator group for the vCenter Single Sign-On domain can reset passwords.