Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Set Password Policies

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Set Password Policies

            Improve your Salesforce org’s security with password protection. You can set password history, length, and complexity requirements. You can also specify what to do when a user forgets the password.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Contact Manager, Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
            User Permissions Needed
            To set password policies: Manage Password Policies

            You can set different password and login policies based on the type of user. However, these policies apply to all user passwords.

            • User passwords cannot exceed 16,000 bytes.
            • Logins are limited to 3,600 per hour per user. This limit applies to organizations created after Summer ’08.
            • A password can’t contain a user’s username and can’t match a user’s first or last name. Passwords also can’t be too simple. For example, a user can’t change their password to password.

            For all editions, a new org has the following default password requirements. You can change these password policies in all editions, except for Personal Edition.

            • A password must contain at least eight characters, including one alphabetic character and one number.
            • The security question’s answer can’t contain the user’s password.
            • When users change their password, they can’t reuse their last three passwords.

            To define password policies:

            1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
            2. Customize the password settings.
              Field Description
              User passwords expire in

              The length of time until a user password expires and must be changed. The default is 90 days. This setting isn’t available for Self-Service portals.

              Enabling the Password never expires policy overrides the User passwords expire in policy.

              You can change this setting to an expiration date that is earlier or later than the previous expiration date. To remove an expiration date, select Never expires.
              Enforce password history Save users’ previous passwords so that they must use a new, unique password when changing passwords. Password history is not saved until you set this value. The default is 3 passwords remembered. You cannot select No passwords remembered unless you select Never expires for the User passwords expire in field. This setting isn’t available for Self-Service portals.
              Minimum password length The minimum number of characters required for a password. When you set this value, existing users aren’t affected until the next time they change their passwords. The default is 8 characters.
              Password complexity requirement

              The types of characters that must be used in a user’s password.

              • No restrictionHas no requirements and is the least secure option.
              • Must include alpha and numeric charactersThe default setting. Requires at least one alphabetic character and one number.
              • Must include alpha, numeric, and special charactersRequires at least one alphabetic character, one number, and one of the following characters: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~.
              • Must include numbers and uppercase and lowercase lettersRequires at least one number, one uppercase letter, and one lowercase letter.
              • Must include numbers, uppercase and lowercase letters, and special charactersRequires at least one number, one uppercase letter, one lowercase letter, and one of the following characters: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~.
              • Must include 3 of the following: numbers, uppercase letters, lowercase letters, special charactersRequires at least three of the following options: one number, one uppercase letter, one lowercase letter, and one special character (! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~).

              Only the characters listed meet the requirement. Other symbol characters are not considered special characters.
              Password question requirement

              The restrictions to place on the password hint’s answer.

              • Cannot contain password—Restricts the answer from containing the password.
              • None—Places no restrictions on the answer. The user must provide an answer to the password hint question. This setting is the default.

                This setting is not available for Self-Service portals, the Customer Portal, or partner portals.
              Maximum invalid login attempts

              The number of login failures allowed for a user before the user is locked out. This setting isn’t available for Self-Service portals.

              These events count toward the number of times users can try to log in with an invalid password before getting locked out.

              If single sign-on (SSO) is enabled, the SSO authority usually handles login lockout policies for users with the Is Single Sign-On Enabled permission. However, if the security token is enabled, your org’s login lockout settings determine how many times users can try to log in with an invalid security token before being locked out.

              • Each time users are prompted to verify identity
              • Each time users incorrectly add the security token or verification code to the end of their password when logging in to Salesforce via the API or a client
              Lockout effective period

              The duration of the login lockout. The default is 15 minutes. This setting isn’t available for Self-Service portals.

              When a user is logged in to an active session but is later locked out, the user remains logged in to the active session.

              A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.

              • Enter Users in the Quick Find box.
              • Select Users.
              • Select the user, and click Unlock.

                This button is available only when a user is locked out.
              Obscure secret answer for password resets

              Hide answers to security questions as the user types. The default is to show the answer in plain text.

              If your org uses the Microsoft Input Method Editor (IME) with the input mode set to Hiragana, when you type ASCII characters, they’re converted in to Japanese characters in normal text fields. However, the IME doesn’t work properly in fields with obscured text. If your org’s users can’t properly enter their passwords or other values after enabling this feature, disable the feature.
              Require a minimum 1 day password lifetime A password can’t be changed more than once in a 24-hour period. This policy applies to all password changes, including password resets by Salesforce admins.
              Allow use of setPassword() API for self-resets When selected, apps can use the setPassword() API to change the current user’s password to a specific value. Deselect this option for increased security. When deselected, apps must use the changeOwnPassword() API to prompt users to set their password value. The changeOwnPassword() API verifies the user’s current password before allowing the change.
            3. Customize the forgotten password and locked account assistance information.
              Note
              Note This setting is not available for Self-Service portals, the Customer Portal, or partner portals.
              Field Description
              Message

              If set, the message you enter appears in the We can’t reset your password email. Users receive this email when they lock themselves out by trying to reset their password too many times. The text also appears at the bottom of the Answer Your Security Question page when users reset their passwords.

              You can add the name of your internal help desk or a system admin to the default text. The message appears only for accounts that need an admin to reset the password. Lockouts due to time restrictions get a different system email message.
              Help link

              If set, this link displays along with the text defined in the Message field. In the We can’t reset your password email, the URL displays exactly as it is typed in the Help link field. This format provides extra security because the user isn’t within a Salesforce org but can still see where the link goes.

              On the Answer Your Security Question page, the Help link URL combines with the text in the Message field and forms a clickable link. Security isn’t an issue because the user is in a Salesforce org when changing passwords.

              Valid protocols are:

              • http
              • https
              • mailto
            4. Specify an alternative home page for users with the API Only User permission. After completing user management tasks such as resetting a password, API-only users are redirected to the specified URL rather than to the login page.
            5. Click Save.

            See Also

             
            Loading
            Salesforce Help | Article