Password restrictions, password expiration, and account lockout in your vSphere environment depend on the system that the user targets, who the user is, and how policies are set.

ESXi password restrictions are determined by certain requirements. See ESXi Passwords and Account Lockout.

vCenter Single Sign-On manages authentication for all users who log in to vCenter Server and other vCenter services. The password restrictions, password expiration, and account lockout depend on the domain of the user and on who the user is.

Password for the vCenter Single Sign-On Administrator

The password for the administrator@vsphere.local user, or the administrator@mydomain user if you selected a different domain during installation, does not expire and is not subject to the lockout policy. In all other regards, the password must follow the restrictions that are set in the vCenter Single Sign-On password policy. See the vSphere Authentication documentation for details.

If you forget the password for this user, search the VMware Knowledge Base system for information on resetting this password. The reset requires additional privileges such as root access to the vCenter Server system.

Passwords for Other Users of the vCenter Single Sign-On Domain

Passwords for other vsphere.local users, or users of the domain that you specified during installation, must follow the restrictions that are set by the vCenter Single Sign-On password policy and lockout policy. See the vSphere Authentication documentation for details. These passwords expire after 90 days by default. Administrators can change the expiration as part of the password policy.

If you forget your vsphere.local password, an administrator user can reset the password using the dir-cli command.

Passwords for Users from Other Identity Sources

Password restrictions, password expiration, and account lockout for all other users are determined by the domain (identity source) to which the user can authenticate.

vCenter Single Sign-On supports one default identity source. Users can log in to the corresponding domain with the vSphere Client with their user names. If users want to log in to a non-default domain, they can include the domain name, that is, specify user@domain or domain\user. The domain password parameters apply to each domain.

Passwords for vCenter Server Direct Console User Interface Users

The vCenter Server Appliance is a preconfigured virtual machine that is optimized for running vCenter Server and the associated services.

When you deploy vCenter Server, you specify these passwords.
  • Password for the root user.
  • Password for the administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default.
You can change the root user password and perform other vCenter Server local user management tasks from the vCenter Server Management Interface. See the vCenter Server Configuration documentation.