It is really important to use strong passwords that are not easily guessed and that are difficult for password generators. Password strength and complexity rules apply to all passwords, including hosts users (such as root).

ESXi uses the pam_passwdqc.so plugin to set the strength and the complexity of host's passwords. You can define the password quality using the host's advanced system settings, called Security.PasswordQualityControl.

ESXi 6.0 has introduced a new account lockout feature; by default, a maximum of 10 failed attempts is allowed before the account is locked. The account is unlocked after 2 minutes by default. In the host's events you will see the following row:

Remote access to ESXi local user account 'LOGINNAME' has been locked for 120 seconds after ### failed login attempts.

Account locking works for access through SSH and through the vSphere Web Services SDK. It does not apply to the DCUI and  ESXi Shell. For vCenter Server (or rather the PSC component), SSO users have specific policies defined in the SSO configuration (actually only through the vSphere Web Client):

There are also password expiration rules for the virtual appliance local users, in case you are using vCSA for vCenter and/or the PSC components. Be sure to also check those settings.