By default, ESXi uses the pam_passwdqc.so plug-in to set the rules that users must observe when creating passwords and to check password strength.

The pam_passwdqc.so plug-in lets you determine the basic standards that all passwords must meet. By default, ESXi imposes no restrictions on the root password. However, when nonroot users attempt to change their passwords, the passwords they choose must meet the basic standards that pam_passwdqc.so sets.

A valid password should contain a combination of as many character classes as possible. Character classes include lowercase letters, uppercase letters, numbers, and special characters such as an underscore or dash.

Note

When the number of character classes is counted, the plug-in does not count uppercase letters used as the first character in the password and numbers used as the last character of a password.

To configure password complexity, you can change the default value of the following parameters.

retry is the number of times a user is prompted for a new password if the password candidate is not sufficiently strong.

N0 is the number of characters required for a password that uses characters from only one character class. For example, the password contains only lowercase letters.

N1 is the number of characters required for a password that uses characters from two character classes.

N2 is used for passphrases. ESXi requires three words for a passphrase. Each word in the passphrase must be 8-40 characters long.

N3 is the number of characters required for a password that uses characters from three character classes.

N4 is the number of characters required for a password that uses characters from all four character classes.

match is the number of characters allowed in a string that is reused from the old password. If the pam_passwdqc.so plug-in finds a reused string of this length or longer, it disqualifies the string from the strength test and uses only the remaining characters.

Setting any of these options to -1 directs the pam_passwdqc.so plug-in to ignore the requirement.

Setting any of these options to disabled directs the pam_passwdqc.so plug-in to disqualify passwords with the associated characteristic. The values used must be in descending order except for -1 and disabled.

Note

The pam_passwdqc.so plug-in used in Linux provides more parameters than the parameters supported for ESXi.

For more information on the pam_passwdqc.so plug-in, see your Linux documentation.