Newer Version Available

This content describes an older version of this product. View Latest

Setting Password Policies

Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

User Permissions Needed
To set password policies: “Manage Password Policies”
For your organization’s security, you can set various password and login policies.

User passwords cannot exceed 16,000 bytes.

Logins are limited to 3,600 per hour per user. This limit applies to organizations created after Summer ’08.

Note

  1. From Setup, click Security Controls | Password Policies.
  2. Customize the password settings.
    Field Description
    User passwords expire in The length of time until all user passwords expire and must be changed. Users with the “Password Never Expires” permission are not affected by this setting. The default is 90 days. This setting is not available for Self-Service portals.
    Enforce password history Save users’ previous passwords so that they must always reset their password to a new, unique password. Password history is not saved until you set this value. The default is 3 passwords remembered. You cannot select No passwords remembered unless you select Never expires for the User passwords expire in field. This setting is not available for Self-Service portals.
    Minimum password length The minimum number of characters required for a password. When you set this value, existing users aren’t affected until the next time they change their passwords. The default is 8 characters.
    Password complexity requirement The requirement for which types of characters must be used in a user’s password.
    Complexity levels:
    • No restrictionallows any password value and is the least secure option.
    • Must mix alpha and numeric charactersrequires at least one alphabetic character and one number. This is the default.
    • Must mix alpha, numeric, and special charactersrequires at least one alphabetic character, one number, and one of the following characters: ! # $ % - _ = + < >.
    • Must mix numbers and uppercase and lowercase lettersrequires at least one number, one uppercase letter, and one lowercase letter.
    • Must mix numbers, uppercase and lowercase letters, and special charactersrequires at least one number, one uppercase letter, and one lowercase letter, and one of the following characters: ! # $ % - _ = + < >.
    Password question requirement The values are Cannot contain password, meaning that the answer to the password hint question cannot contain the password itself; or None, the default, for no restrictions on the answer. The user’s answer to the password hint question is required. This setting is not available for Self-Service portals, Customer Portals, or partner portals.
    Maximum invalid login attempts The number of login failures allowed for a user before they become locked out. This setting is not available for Self-Service portals.
    Lockout effective period The duration of the login lockout. The default is 15 minutes. This setting is not available for Self-Service portals.

    If users are locked out, they must wait until the lockout period expires. Alternatively, a user with the “Reset Passwords and Unlock Users” permission can unlock them from Setup by clicking Manage Users | Users, selecting the user, then clicking Unlock. This button is only available when a user is locked out.

    Note

    Obscure secret answer for password resets This feature hides answers to security questions as you type. The default is to show the answer in plain text when you answer a security question, for example when resetting your password.

    If your organization uses the Microsoft Input Method Editor (IME) with the input mode set to Hiragana, when you type ASCII characters they’re converted into Japanese characters in normal text fields. However, the IME does not work properly in fields with obscured text. If your organization’s users cannot properly enter their passwords or other values after enabling this feature, disable the feature.

    Note

    Require a minimum 1 day password lifetime When you select this option, passwords can’t be changed more than once in a 24 hour period.
  3. Customize the forgotten password and locked account assistance information.

    This setting is not available for Self-Service portals, Customer Portals, or partner portals.

    Note

    Field Description
    Message When set, this custom message appears in the Account Lockout email and at the bottom of the Confirm Identity screen for users resetting their passwords. You can customize it with the name of your internal help desk or a system administrator. For the lockout email, the message only appears for accounts that need an administrator to reset them. Lockouts due to time restrictions get a different system email message.
    Help link If set, this link displays with the text defined in the Message field. In the Account Lockout email, the URL displays just as it is typed into the Help link field, so the user can see where the link takes them. This is a security feature because the user is not within a Salesforce organization.

    On the Confirm Identity password screen, the Help link URL combines with the text in the Message field to make a clickable link. Security isn’t an issue since the user is in a Salesforce organization when changing passwords.

    Valid protocols:
    • http
    • https
    • mailto:
  4. Specify an alternative home page for users with the “API Only User” permission. After completing user management tasks such as resetting a password, API-only users are redirected to the URL specified here, rather than to the login page.
  5. Click Save.