Newer Version Available

This content describes an older version of this product. View Latest

Set Password Policies

To ensure that the appropriate level of password security is used for your organization, specify password requirements with Password Policies settings.
Available in: both Salesforce Classic and Lightning Experience
Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

User Permissions Needed
To set password policies: “Manage Password Policies”
For your organization’s security, you can set various password and login policies.

User passwords cannot exceed 16,000 bytes.

Logins are limited to 3,600 per hour per user. This limit applies to organizations created after Summer ’08.

Note

  1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
  2. Customize the password settings.
    Field Description
    User passwords expire in The length of time until user passwords expire and must be changed. The default is 90 days. This setting isn’t available for Self-Service portals. This setting doesn’t apply to users with the “Password Never Expires” permission.

    If you change the User passwords expire in setting, the change affects a user’s password expiration date if that user’s new expiration date is earlier than the old expiration date or if you remove an expiration by selecting Never expires.

    Enforce password history Save users’ previous passwords so that they must always reset their password to a new, unique password. Password history is not saved until you set this value. The default is 3 passwords remembered. You cannot select No passwords remembered unless you select Never expires for the User passwords expire in field. This setting isn’t available for Self-Service portals.
    Minimum password length The minimum number of characters required for a password. When you set this value, existing users aren’t affected until the next time they change their passwords. The default is 8 characters.
    Password complexity requirement The requirement for which types of characters must be used in a user’s password.
    Complexity levels:
    • No restrictionallows any password value and is the least secure option.
    • Must mix alpha and numeric charactersrequires at least one alphabetic character and one number, which is the default.
    • Must mix alpha, numeric, and special charactersrequires at least one alphabetic character, one number, and one of the following characters: ! # $ % - _ = + < >.
    • Must mix numbers and uppercase and lowercase lettersrequires at least one number, one uppercase letter, and one lowercase letter.
    • Must mix numbers, uppercase and lowercase letters, and special charactersrequires at least one number, one uppercase letter, and one lowercase letter, and one of the following characters: ! # $ % - _ = + < >.
    Password question requirement The values are Cannot contain password, meaning that the answer to the password hint question cannot contain the password itself; or None, the default, for no restrictions on the answer. The user’s answer to the password hint question is required. This setting is not available for Self-Service portals, Customer Portals, or partner portals.
    Maximum invalid login attempts The number of login failures allowed for a user before they become locked out. This setting isn’t available for Self-Service portals.
    Lockout effective period The duration of the login lockout. The default is 15 minutes. This setting isn’t available for Self-Service portals.

    If users are locked out, they must wait until the lockout period expires. Alternatively, a user with the “Reset User Passwords and Unlock Users” permission can unlock them from Setup by entering Users in the Quick Find box, then selecting Users, selecting the user, then clicking Unlock. This button is only available when a user is locked out.

    Note

    Obscure secret answer for password resets This feature hides answers to security questions as you type. The default is to show the answer in plain text.

    If your organization uses the Microsoft Input Method Editor (IME) with the input mode set to Hiragana, when you type ASCII characters they’re converted into Japanese characters in normal text fields. However, the IME does not work properly in fields with obscured text. If your organization’s users cannot properly enter their passwords or other values after enabling this feature, disable the feature.

    Note

    Require a minimum 1 day password lifetime When you select this option, a password can’t be changed more than once in a 24-hour period.
  3. Customize the forgotten password and locked account assistance information.

    This setting is not available for Self-Service portals, Customer Portals, or partner portals.

    Note

    Field Description
    Message If set, this message appears in the “We can’t reset your password” email that users receive when they lock themselves out by trying to reset their password too many times. The text also appears at the bottom of the Answer Your Security Question page when users reset their passwords.

    You can tailor the text to your organization by adding the name of your internal help desk or a system administrator. For the email, the message appears only for accounts that need an administrator to reset them. Lockouts due to time restrictions get a different system email message.

    Help link If set, this link displays with the text defined in the Message field. In the “We can’t reset your password” email, the URL displays just as it is typed in the Help link field, so the user can see where the link goes. This URL display format is a security feature, because the user is not within a Salesforce organization.

    On the Answer Your Security Question page, the Help link URL combines with the text in the Message field to make a clickable link. Security isn’t an issue, because the user is in a Salesforce organization when changing passwords.

    Valid protocols:
    • http
    • https
    • mailto
  4. Specify an alternative home page for users with the “API Only User” permission. After completing user management tasks such as resetting a password, API-only users are redirected to the URL specified here, rather than to the login page.
  5. Click Save.