Specify password requirements with Password Policies settings. Understand how each field
impacts a profile’s password requirements.
Changes to org-wide password policies don’t apply to users of
a profile that has its own password policies.
Field
Description
User passwords expire in
The length of time until a user password expires and must be changed. The
default is 90 days. This setting isn’t available for Self-Service portals. Enabling
the Password never expires policy overrides the User passwords expire in
policy.
You can change this setting to an expiration date that is earlier or
later than the previous expiration date. To remove an expiration date, select
Never expires.
Enforce password history
Save users’ previous passwords so that they must use a new, unique
password when changing passwords. Password history isn’t saved until you set this
value. The default is 3 passwords remembered. You can’t select
No passwords remembered unless you select Never
expires for the User passwords expire in field.
This setting isn’t available for Self-Service portals.
Minimum password length
The minimum number of characters required for a password. When you set this
value, existing users aren’t affected until the next time they change their
passwords. The default is 8 characters.
Password complexity requirement
The types of characters that must be used in a user’s password.
No restriction—Has
no requirements and is the least secure option.
Must include alpha and numeric characters—The default setting. Requires at least one alphabetic
character and one number.
Must include alpha, numeric, and special
characters—Requires at
least one alphabetic character, one number, and one of the following
characters: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \
] ^ _ ` { | } ~.
Must include numbers and uppercase and lowercase
letters—Requires at least one
number, one uppercase letter, and one lowercase letter.
Must include numbers, uppercase and lowercase letters, and special
characters—Requires at least one
number, one uppercase letter, one lowercase letter, and one of the following
characters: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \
] ^ _ ` { | } ~.
Must include 3 of the following: numbers, uppercase letters,
lowercase letters, special characters—Requires at least three of the following options: one
number, one uppercase letter, one lowercase letter, and one special character
(! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` {
| } ~).
Only the characters listed meet the requirement. Other symbol characters
aren’t considered special characters.
Password question requirement
The restrictions to place on the password hint’s answer. This setting isn’t
available for Self-Service portals.
Maximum invalid login attempts
The number of login failures allowed for a user before the user is locked out.
This setting isn’t available for Self-Service portals.
Lockout effective period
The duration of the login lockout. The default is 15 minutes. This setting
isn’t available for Self-Service portals.
When a user is logged in to an active
session but is later locked out, the user remains logged in to the active
session.
A locked-out user must wait until the lockout period expires.
Alternatively, a user with the Reset User Passwords and Unlock Users permission
can unlock a user from the Users detail page in Setup.
Obscure secret answer for password resets
Hide answers to security questions as the user types. The default is to show
the answer in plain text.
If your org uses the Microsoft Input Method Editor (IME)
with the input mode set to Hiragana, when you type ASCII characters, they’re
converted in to Japanese characters in normal text fields. However, the IME
doesn’t work properly in fields with obscured text. If your org’s users can’t
properly enter their passwords or other values after enabling this feature,
disable the feature.
Require a minimum 1 day password lifetime
A password can’t be changed more than once in a 24-hour period. This policy
applies to all password changes, including password resets by Salesforce
admins.
Don’t immediately expire links in forgot password
emails
When you select this option, a password reset link in a forgot password email
doesn’t expire the first time it’s clicked. Instead, the link stays active until the
user confirms the password reset request on an interstitial page.
A user has 24
hours to reset a password. After 24 hours, the user must submit another
request.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
