Manage User Passwords Control

Control Name

Password Policies

Recommended Configuration

Password policies are configured in the Password Policies:

• Setup Password - Setup>Password Policies
• Expire Passwords for All Users - 90 days, don't select - "Never expires"
• Enforce password history - 5 passwords remembered, don't select - "No passwords remembered"
• Minimum password length - 12
• Password complexity requirement - Must include 3 of the following: numbers, uppercase letters, lowercase letters, special characters
• Password question requirement - Cannot contain password
• Maximum invalid login attempts - 3
• Lockout effective period - 15 minutes
• Obscure secret answer for password resets - Select
• Require a minimum 1 day password lifetime - Select
• Allow use of setPassword() API for self-resets - Deselect

Control Overview

Password Policies in Salesforce are to enforce robust authentication standards—such as complexity, length, and expiration—to prevent unauthorized access via "Brute Force" or "Credential Stuffing" attacks.

Security Risk If Not Configured

Weak or unchanging passwords become an easy target for "Brute Force" and "Credential Stuffing" attacks, allowing unauthorized users to guess their way into your CRM. Without strict policies, an attacker can attempt to test the credential with lower effort until they successfully compromise an account and gain unrestricted access to your sensitive business data.

Threat Scenarios

An attacker uses a list of common or breached passwords from other websites to perform a Credential Stuffing attack against your Salesforce login page, successfully guessing the weak password of an unsuspecting user. Because no lockouts or complexity rules are enforced, the attacker can try thousands of combinations until they gain entry, eventually logging in to exfiltrate proprietary customer lists and internal strategy documents.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Risk severity depends on the user population size, access privileges granted upon login.

Higher Risk When

User identity verification is not in place (MFA or others) and centralized authentication (such as SSO) is not in place.

Low or No Risk When

This control can be considered low risk when one or more of the following are implemented:

• MFA Enforcement or identity verification is in place: MFA is enforced for Salesforce users
• Centralized SSO: SSO is configured for all user profiles in the platform, For Admin users, SSO configuration can be excluded to address the potential risk of SSO failure, by creating a tightly controlled break glass account (such as using Vault).
• Strict Password Policy: Strict password policy in place which include, frequent password rotation/expiration date

Business and Integration Considerations

Customers should evaluate how their authentication process is implemented between various profiles and integration users.

Recommended Remediation

Set up password policies in Salesforce or IdP config to align with security standards.

Security Health Review Guidance

Security Health Review identifies the platform configuration related to password policies that is configured in the platform directly. If a separate IdP is used with SSO configuration in place, customers should ensure that the password policies are in alignment with the enterprise security standards and industry best practice.