Thursday, November 27, 2014

ESXi password complexity requirements

Have you tried to set up or change a root's password for an ESXi host and got the following error message:
Weak password: not enough different characters or classes for this length.
passwd: Authentication token manipulation error

 For security reasons, VMware ESXi, enforces some password requirements.  Learning how it works can avoid issues like the above one.

The password length requirement will depend on the number of classes used to compose it.
The classes available are:
- lowercase letters;
- uppercase letters;
- numbers;
- special characters;

With than in middle, you can come up with a password like that:
If it contains just one or two character classes it must be at least 8 characters long;
If it contains three character classes it must be at least 7 characters long;
If it contains all four character classes it must be at least 6 characters long;

One thing to notice is, if the password starts with an uppercase letter or ends with a number, those characters does not count toward the numbers of valid characters.

Even though you might think these requirements are too restrictive (or may be not restrictive enough), you can change pam.d module to setup the requirements to meet your company’s policy, check KB1012033 to learn how to accomplish it.

Caution: reducing the password's complexity inadvertedly might reduce the security of ESXi.

1 comment:

Unknown said...

It is an informative post.

Post a Comment

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive