Newer Version Available

This content describes an older version of this product. View Latest

Set Password Policies

Improve your Salesforce org security with password protection. You can set password history, length, and complexity requirements. You can also specify what to do when a user forgets the password.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Available in: Contact Manager, Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

User Permissions Needed
To set password policies: Manage Password Policies
You can set different password and login policies based on the type of user.

User passwords cannot exceed 16,000 bytes.

Logins are limited to 3,600 per hour per user. This limit applies to organizations created after Summer ’08.

Note

  1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
  2. Customize the password settings.
    Field Description
    User passwords expire in The length of time until a user password expires and must be changed. The default is 90 days. This setting isn’t available for Self-Service portals. This setting doesn’t apply to users with the Password Never Expires permission.

    When you change the User passwords expire in setting and the new expiration date is earlier than a user’s previous expiration date, the change affects the user’s password expiration date. To remove an expiration date, select Never expires.

    Enforce password history Save users’ previous passwords so that they must use a new, unique password when changing passwords. Password history is not saved until you set this value. The default is 3 passwords remembered. You cannot select No passwords remembered unless you select Never expires for the User passwords expire in field. This setting isn’t available for Self-Service portals.
    Minimum password length The minimum number of characters required for a password. When you set this value, existing users aren’t affected until the next time they change their passwords. The default is 8 characters.
    Password complexity requirement The types of characters that must be used in a user’s password.
    • No restrictionHas no requirements and is the least secure option.
    • Must mix alpha and numeric charactersThe default setting. Requires at least one alphabetic character and one number.
    • Must mix alpha, numeric, and special charactersRequires at least one alphabetic character, one number, and one of the following characters: ! # $ % - _ = + < >.
    • Must mix numbers and uppercase and lowercase lettersRequires at least one number, one uppercase letter, and one lowercase letter.
    • Must mix numbers, uppercase and lowercase letters, and special charactersRequires at least one number, one uppercase letter, one lowercase letter, and one of the following characters: ! # $ % - _ = + < >.

    Only the characters listed meet the requirement. Other symbol characters are not considered special characters.

    Note

    Password question requirement Choose Cannot contain password to restrict the answer to the password hint question from containing the password itself. Choose None, the default, for no restrictions on the answer. The user must provide an answer to the password hint question. This setting is not available for Self-Service portals, Customer Portals, or partner portals.
    Maximum invalid login attempts The number of login failures allowed for a user before the user is locked out. This setting isn’t available for Self-Service portals.
    Lockout effective period The duration of the login lockout. The default is 15 minutes. This setting isn’t available for Self-Service portals.

    When a user is logged in to an active session but is later locked out, the user remains logged in to the active session.

    A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.

    1. Enter Users in the Quick Find box.
    2. Select Users.
    3. Select the user, and click Unlock.

    This button is available only when a user is locked out.

    Note

    Obscure secret answer for password resets Hide answers to security questions as the user types. The default is to show the answer in plain text.

    If your org uses the Microsoft Input Method Editor (IME) with the input mode set to Hiragana, when you type ASCII characters, they’re converted in to Japanese characters in normal text fields. However, the IME doesn’t work properly in fields with obscured text. If your org’s users cannot properly enter their passwords or other values after enabling this feature, disable the feature.

    Note

    Require a minimum 1 day password lifetime A password can’t be changed more than once in a 24-hour period.
    Allow use of setPassword() API for self-resets When selected, apps can use the setPassword() API to change the current user’s password to a specific value. Deselect this option for increased security. When deselected, apps must use the changeOwnPassword() API to prompt users to set their password value. The changeOwnPassword() API verifies the user’s current password before allowing the change. When you deselect this option, you can’t select it again.
  3. Customize the forgotten password and locked account assistance information.

    This setting is not available for Self-Service portals, Customer Portals, or partner portals.

    Note

    Field Description
    Message If set, the message you enter appears in the “We can’t reset your password” email. Users receive this email when they lock themselves out by trying to reset their password too many times. The text also appears at the bottom of the Answer Your Security Question page when users reset their passwords.

    You can add the name of your internal help desk or a system administrator to the default text. The message appears only for accounts that need an administrator to reset the password. Lockouts due to time restrictions get a different system email message.

    Help link If set, this link displays along with the text defined in the Message field. In the “We can’t reset your password” email, the URL displays exactly as typed in the Help link field, so the user can see where the link goes. This URL display format is for security because the user is not within a Salesforce org.

    On the Answer Your Security Question page, the Help link URL combines with the text in the Message field and forms a clickable link. Security isn’t an issue because the user is in a Salesforce org when changing passwords.

    Valid protocols are:
    • http
    • https
    • mailto
  4. Specify an alternative home page for users with the API Only User permission. After completing user management tasks such as resetting a password, API-only users are redirected to the specified URL rather than to the login page.
  5. Click Save.