7

Managing Salesforce Password Policies (Control Access to Organization)

Salesforce provides robust tools for managing password policies, allowing you to define specific requirements and enforce secure password practices within your organization.

Implementing complex password requirements with sufficient length, character diversity, and regular changes minimizes the risk of unauthorized access due to weak or easily guessable passwords.

Managing Salesforce password policies is crucial for several reasons related to security, compliance, and user experience. So, let’s explore these policies in detail.

What is Managing Salesforce Password Policies?

Password policies in Salesforce are configured to ensure that the user’s password is solid and secure. Managing Password Policies is vital as strong password policies can help users avoid common issues like forgotten passwords or account lockouts, leading to a smoother user experience.

There are several settings to ensure this:

Password Policies

  • Minimum Password Length: Set a minimum length requirement, typically between 8 and 12 characters, to discourage weak passwords.
  • Password Complexity: Enforce password complexity rules requiring a combination of uppercase and lowercase letters, numbers, and symbols for increased strength.
  • Special Character Restrictions: Consider restricting certain special characters that might be difficult for users to type or remember, balancing security with usability.
  • Password History: Prevent users from reusing their last few passwords to avoid predictable patterns.
  • Dictionary Word Restrictions: Block commonly used words or dictionary terms that are easily guessable.
  • Password Expiration: Set a timeframe for password expiration, typically 30-90 days, to encourage regular password updates.

User Password Expiration

Grant “Password Never Expires” permission to specific users for legitimate reasons, like system accounts or integrations that require permanent access. Remind users about upcoming password expirations to avoid disruptions and encourage timely updates.

User Password Resets

  • Administrator-Initiated Resets: Reset passwords for users who forget their credentials or for security reasons like suspected breaches.
  • Self-Service Resets: Implement self-service password reset options through security questions, email verification, or mobile authentication for user autonomy.

Login Attempts and Lockout Periods

To stop brute-force assaults, set a realistic number of login attempts before the account is locked out. Establish the time limit for account lockouts, which should be a few minutes or hours, to give users enough time to recuperate and prevent further attacks.

Users can unlock their accounts by contacting administrators or using self-service techniques. For extra security, limit login attempts based on particular IP addresses.

Salesforce-Admin-Training-CTA

Levels of Assigning Password Policy

  1. Organization Level: This applies the same policy to all users within your organization, ensuring consistent security standards. It’s suitable for small organizations or those with uniform security requirements.
  2. Profile Level: This allows you to define different policies for different user profiles based on their roles and access levels. This provides more granular control for organizations with diverse user needs and security requirements. For example, administrators might have stricter password policies than standard users.

How to Implement Password Policies in Salesforce?

Here is how you can make sure the passwords maintained throughout the platform are as per the policies and secure:

1. Navigate to Setup

Log in to your Salesforce org and click the gear icon in the top right corner.

Select “Setup” from the dropdown menu.

2. Access Password Policy Settings

In the Quick Find box, type “Password Policies” and select it from the search results.

3. Configure Organization-Level Password Policy

Under “Organization Password Policy,” enable the setting to enforce a password policy for all users.

Define the following parameters:

  •  Minimum Password Length: Choose between 8 and 12 characters for optimal security.
  • Require Password Complexity: Select the desired level of complexity (no complexity, low, medium, high).
  • Password History: Set the number of previous passwords a user cannot reuse (e.g., 5).
  • Dictionary Word Restriction: Enable if you want to block commonly used words.
  • User Password Expiration: Enable and choose the duration (e.g., 90 days) for mandatory password changes.
  • Lockout Policy: Set the number of failed login attempts allowed before locking the account and the lockout duration.
  • Login History Length: Determine how long it takes to keep login attempt records.

4. Configure Profile-Level Password Policies (Optional):

If you need different policies for specific user groups, click “Manage Password Policies by Profile.”

Select a profile and adjust the individual settings as required.

5. Set Password Expiration Warnings (Optional):

Go to “Manage Password Expiration Notifications” under “User Password Expiration.”

Please choose how many days in advance to notify users about their expiring passwords.

6. Enable Self-Service Password Resets (Optional):

Go to “Self-Service Password Resets” under “User Password Resets.”

Select the methods users can use to reset their passwords (e.g., email, security questions).

7. Review and Save:

Carefully review all your settings before clicking “Save”.

Best Practices

  1. Communicate Policy Changes: Inform users about password policy updates and provide guidance on creating strong passwords.
  2. Educate Users: Conduct security awareness training on the importance of strong passwords and healthy password habits.
  3. Regularly Review and Update Policies: Stay informed about evolving security threats and update policies accordingly.
  4. Monitor Password Strength: Utilize tools to analyze password strength and identify weak passwords for remediation.
  5. Enforce Password Reset: Require password resets upon initial login for new users or after security incidents.
Next Topic

Need more support?

Get a head start with our FREE study notes!

Learn more and get all the answers you need at zero cost. Improve your skills using our detailed notes prepared by industry experts to help you excel.

ServiceNow Stripe