1. Default ESXi Password Policy & Behavior

• The advanced setting Security.PasswordQualityControl controls password complexity for local ESXi accounts (including root).
• In vSphere 7.x, the default complexity policy requires minimum length 7 characters and enforces checks against dictionary words.
• The default value is commonly:
  

  retry=3 min=disabled,disabled,disabled,7,7

  This means:

  • The user gets 3 attempts to set a valid password.
  • For 3-character-class or 4-character-class passwords, at least 7 total characters are required.
  • 1- or 2-class passwords (only one or two character types) are not allowed by default.

2. Understanding the min= Component

The min= portion of the policy has 5 comma-separated slots, reflected in this order:

min = N0, N1, N2, N3, N4

Where:

Key insight: Because N0, N1, and N2 are often disabled, ESXi enforces that passwords must use at least 3 character classes (e.g. uppercase + lowercase + digits or special) to be valid at all. 

Also, some edge cases may occur: characters at the beginning or end of the password may not count toward certain class requirements depending on internal parsing.

3. Lockout & Account Policy Behavior

• ESXi enforces password policy for login methods such as Direct Console (DCUI), ESXi Shell, SSH, and Host Client.
• VMware’s upgrade documentation for vSphere 7.0 notes that the password length constraints (≥7, <40) and dictionary checks also apply on upgrade to new versions.
• For vCenter Single Sign-On (SSO) accounts, a separate lockout policy is in place: by default, a user is locked out after 5 consecutive failed logins within 3 minutes, and the lock resets after 5 minutes. vCenter Password Requirements and Lockout Behavior

4. Sample Configuration to Enforce Strong Policy

The following configuration enforces a strong password policy with the requirements:

• Minimum length = 14
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one special character

Since the pam_passwdqc module does not allow specifying the exact number of characters per class, this configuration enforces the use of all four classes with a minimum length of 14:

retry=3 min=disabled,disabled,disabled,disabled,14

Meaning:

• One-, two-, and three-class passwords are disallowed.
• Four-class passwords require a minimum length of 14 characters.
• Users have three attempts to provide a valid password.

Command to Apply:

esxcli system settings advanced set -o /UserVars/Security.PasswordQualityControl -s "retry=3 min=disabled,disabled,disabled,disabled,14"

• ESXi 8.x
  

  • vim-cmd hostsvc/advopt/update Security.PasswordQualityControl string "retry=3 min=disabled,disabled,disabled,disabled,14"

Command to Verify:

esxcli system settings advanced list -o /UserVars/Security.PasswordQualityControl

• ESXi 8.x
  

  • vim-cmd hostsvc/advopt/view Security.PasswordQualityControl

To allow both three-class and four-class passwords with a minimum length of 14 characters, use:

retry=3 min=disabled,disabled,disabled,14,14

5. Considerations & Caveats

• Some combinations may be rejected by ESXi if they violate internal parsing constraints (e.g. class requirement exceeds total length). Always test on non‐production hosts first.
• Because of internal logic, configuring N0–N2 is often discouraged.
  • If a password change fails repeatedly (or “does not meet requirements”), review the current Security.PasswordQualityControl setting, or switch to a more lenient test value temporarily.
• When upgrading ESXi versions, VMware ensures backward compatibility for password rules, but restricts maximum length to < 40 characters.
• Always retain a method for root access (DCUI, console, SSH) to revert policy changes if misconfigured.

6. Scope

• The password policy is uniformly applied to all users within the ESXi host, and it is not possible to implement a different password policy for individual users.