Set the org-wide password rules from Setup, then override them on specific profiles if certain user groups need stricter or looser requirements. You need the Manage Password Policies permission.
- Open the Password Policies page
From Setup, type Password Policies into the Quick Find box and select Password Policies. This is the organization-wide page that sets the default rule for every user who is not covered by a profile override.
- Set length, complexity, and history
Choose a Minimum password length, pick a Password complexity requirement from the dropdown, and set Enforce password history. Turn on Require a minimum 1 day password lifetime if you want to stop rapid reuse cycles.
- Set expiration and lockout
Pick an interval under User passwords expire in (or Never expires), then set Maximum invalid login attempts and Lockout effective period to control brute-force defence. Adjust the reset-flow options for the security question if needed.
- Save, then override per profile if needed
Click Save. To make a group stricter, open that profile, select Password Policies, edit the same fields, and save. Profile settings override the org-wide values for those users.
Smallest allowed password size; defaults to 8 characters and can be raised to meet a tighter standard.
Dropdown of character-class rules, from no restriction up to requiring three or four of numbers, uppercase, lowercase, and special characters.
Rotation interval before a forced password change; defaults to 90 days, with a Never expires option that also disables history.
Number of previous passwords the system blocks from reuse; defaults to 3 and supports up to 24.
Failed sign-ins allowed before the account locks; pairs with Lockout effective period (default 15 minutes) to slow brute-force attacks.
- Profile password policies override the org-wide page, so check both places when a user's rule does not look right.
- A tightened policy applies to existing profile users only when they next reset their password, not the moment you save.
- Choosing Never expires disables password history enforcement, so you lose reuse protection along with rotation.
- Single sign-on users authenticate through your identity provider, so most of these rules do not apply to them; integration and API-only accounts still do.