4.2 Ensure passwords are required to be complex


ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. Options include setting minimum password length, requiring password characters to come from particular character sets, and restricting the number of consecutive failed logon attempts permitted. The settings should enforce the organization's password policies.

Note that an uppercase character that begins a password does not count toward the number of character classes used, and neither does a number that ends a password.


All passwords for ESXi hosts should be hard to guess to reduce the risk of unauthorized access.

Note: ESXi imposes no restrictions on the root password. Password strength and complexity rules only apply to non-root users.


To set the password complexity requirements, perform the following:

Login to the ESXi shell as a user with administrator privileges.

Open /etc./pam.d/passwd.

Locate the following line:

password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N4

Set N to less than or equal to 5.

Set N0 to disabled.

Set N1 to disabled.

Set N2 to disabled.

Set N3 to disabled.

Set N4 to 14 or greater.

The above requires all passwords to be 14 or more characters long and comprised of at least one character from four distinct character sets. Additionally, a maximum of 5 consecutive failed login attempts are permitted.

See Also