Information
ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. Options
include setting minimum password length, requiring password characters to come from
particular character sets, and restricting the number of consecutive failed logon
attempts permitted. The settings should enforce the organization's password policies.
Note that an uppercase character that begins a password does not count toward the
number of character classes used, and neither does a number that ends a password.
*Rationale*
All passwords for ESXi hosts should be hard to guess to reduce the risk of unauthorized access.
Note: ESXi imposes no restrictions on the root password. Password strength and complexity rules only apply to non-root users.
Solution
To set the password complexity requirements, perform the following:
1. Login to the ESXi shell as a user with administrator privileges.
2. Open /etc./pam.d/passwd
3. Locate the following line: password requisite /lib/security/$ISA/pam_passwdqc.so retry=N min=N0,N1,N2,N3,N44.
Set N is less than or equal to 5
5. Set N0 to disabled
6. Set N1 to disabled
7. Set N2 to disabled
8. Set N3 to disabled
9. Set N4 to 14 or greater
The above requires all passwords to be 14 or more characters long and comprised of at
least one character from four distinct character sets. Additionally, a maximum of 5 login
attempts are permitted.