This article covers common reasons why a Salesforce sandbox login fails and how to resolve them. Causes include stale browser credentials, My Domain login policy restrictions, incorrect login URLs, and frozen user accounts.
If you receive an "Incorrect username and password" error when logging in to a Salesforce sandbox environment, verify that you are using the correct password for your instance (cs1, cs2, etc.). Note that usernames and passwords can differ after a sandbox is refreshed. Review Create a Sandbox for more information.
For username conventions in a sandbox, see the Users and Contacts section the Salesforce Help under Sandboxes: Staging Environments for Customizing and Testing Help page.
If you are using the correct username and password for your sandbox instance, the following issues may be preventing you from logging in.
If your web browser has saved login information from before the last sandbox refresh, login attempts will likely fail. Clear the browser's cache, cookies, and saved passwords, then restart the browser to remove all old credentials.
Note: Once a sandbox is created or refreshed, you can log in using the production password.
After a sandbox is created or refreshed, it can take 24–48 hours before you are able to log in using https://test.salesforce.com. During this period, access the sandbox using its My Domain login URL instead.
In some cases, the generic sandbox login URL (https://test.salesforce.com) must specify the instance where the sandbox resides.
To find your instance in the 'Location' column:
If login issues continue, update the sandbox login URL from <REDACTED> to <REDACTED> where csX represents your sandbox instance (for example, cs1, cs2, or cs3).
If the sandbox org has My Domain enabled and the Login Policy is set to "Prevent login from <REDACTED> users must log in using the My Domain URL, such as https://[MyDomain]--[SandboxName].csx.my.salesforce.com.
A system administrator can disable this restriction:
The system administrator can unfreeze the user so they can log in with an existing password, or reset the password if required.
For more information on user maintenance, see:
Sandbox email addresses are appended with '.invalid' at the end. When resetting a password, ensure the email address is updated first. Work with your system administrator to update the email address. For more information, see Email addresses in sandbox appended with '.invalid' after refresh (Salesforce Help).
Note: For sandbox users who did not update their email addresses to a valid domain prior to the refresh, you may still see the '@example' domain followed by '.invalid' at the end.
A newly refreshed sandbox shares the same password and password expiration date from its production organization. Once the password expires, it affects both environments. If the production password is changed, that change does not automatically apply in the sandbox — users attempting to log in to the sandbox with the new production password will encounter a login error.
Although most email addresses are appended with '.invalid,' this does not apply to the admin user who created or submitted the sandbox for refresh. If an admin cannot access the target sandbox, check whether other admin users can assist with updating the user record's email address and resetting the password. If no admins can log in to the sandbox, contact Support and follow the Change an administrator's email address in sandbox (Salesforce Help) process.
000385817

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.