The ease with which an attacker can log in to an ESX host depends on finding a legitimate user name and password combination. You can set password restrictions to help prevent attackers from obtaining user passwords.

A malicious user can obtain a password in a number of ways. For example, an attacker can sniff insecure network traffic, such as Telnet or FTP transmissions, for successful login attempts. Another common method is to crack the password by running a password generator to try every character combination up to a certain length or use real words and simple mutations of real words.

Implementing restrictions that govern the length, character sets, and duration of passwords can make attacks that a password generator initiates more difficult. The longer and more complex the password, the harder it is for an attacker to discover. The more often users have to change passwords, the more difficult it is to find a password that works repeatedly.


Always consider the human factor when you decide how to implement password restrictions. If you make passwords too hard to remember or enforce frequent password changes, your users might be inclined to write down their passwords, which eliminates any benefit.

To help protect your password database from misuse, password shadowing is enabled so that password hashes are hidden from access. Also, ESX uses MD5 password hashes, which provide stronger password security and lets you set minimum length requirements to more than eight characters.