December 18, 2012

Password policies in Salesforce

Password policies are user security settings with the password policy for the users. Password policies help us to maintain a strict and complex pattern in password with the automatic expiry. By default Salesforce passwords expire in 90 days and the user cannot use three previous passwords. Passwords are 8 characters in length and should be a combination of alpha-numeric characters. These policies can be changed using the Password Policies settings.

To change the Password Policies perform the following steps:
1. Go to User name --> Setup --> Administration Setup --> Security Controls--> Password Policies.
2. Change the policies according to the requirements as shown in the following screenshot:

3. The message and help link can be provided to the users in case they forget the password. If the system administrator forgets the password we can reset it using the reset link sent to the e-mail.

4. Click 'Save' button to save the changes.

User passwords expire in
The length of time until all user passwords expire and must be changed. Users with the “Password Never Expires” permission are not affected by this setting. The default is 90 days. This setting is not available for Self-Service portals.
Enforce password history
Save users’ previous passwords so that they must always reset their password to a new, unique password. Password history is not saved until you set this value. The default is 3 passwords remembered. You cannot select No passwords remembered unless you select Never expires for the User passwords expire in field. This setting is not available for Self-Service portals.
Minimum password length
The minimum number of characters required for a password. When you set this value, existing users aren’t affected until the next time they change their passwords. The default is 8 characters.
Password complexity requirement
The requirement for which types of characters must be used in a user’s password.
Complexity levels:
  • No restriction—allows any password value and is the least secure option.
  • Must mix alpha and numeric—requires at least one alphabetic character and one number. This is the default.
  • Must mix alpha, numeric, and special characters—requires at least one alphabetic character, one number, and one of the following characters: ! # $ % - _ = + < >.
Password question requirement
The values are Cannot contain password, meaning that the answer to the password hint question cannot contain the password itself; or None, the default, for no restrictions on the answer. The user’s answer to the password hint question is required. This setting is not available for Self-Service portals, Customer Portals, or partner portals.
Maximum invalid login attempts
The number of login failures allowed for a user before they become locked out. This setting is not available for Self-Service portals.
Lockout effective period
The duration of the login lockout. The default is 15 minutes. This setting is not available for Self-Service portals.Note
If users are locked out, they must wait until the lockout period expires. Alternatively, a user with the “Reset Passwords and Unlock Users” permission can unlock them by clicking Your Name | Setup | Manage Users | Users, selecting the user, then clicking Unlock. This button is only available when a user is locked out.
When set, this custom message appears in the Account Lockout email and at the bottom of the Confirm Identity screen for users resetting their passwords. You can customize it with the name of your internal help desk or a system administrator. For the lockout email, the message only appears for accounts that need an administrator to reset them. Lockouts due to time restrictions get a different system email message.
Help link
If set, this link displays with the text defined in the Message field. In the Account Lockout email, the URL displays just as it is typed into the Help link field, so the user can see where the link takes them. This is a security feature because the user is not within a Salesforce organization.
On the Confirm Identity password screen, the Help link URL combines with the text in the Message field to make a clickable link. Security isn’t an issue since the user is in a Salesforce organization when changing passwords.
Valid protocols:
  • http
  • https
  • mailto:

Sample output for Help Link and Message:


1 comment:

  1. Unfortunately, the Message does not send to Community Users. They receive the standard message above, asking them to contact . We need to refer users to our customer services email to stop the flow of Cases that are being created for account unlocking. We're waiting to her from Salesforce on a Case that we submitted regarding this issue, but not expecting a positive response.