Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
DictionaryPPassword Policies
AdministrationIntermediate

Password Policies

Password Policies is a Setup page where administrators define the password requirements for users in the org.

§ 01

Definition

Password Policies is a Setup page where administrators define the password requirements for users in the org. Settings include minimum password length, complexity requirements (uppercase, lowercase, numbers, special characters), password expiration intervals, password history enforcement, and maximum login attempts before lockout.

§ 02

In plain English

👋 Study buddy

Here's a simple way to think about it: Password Policies sets the floor on how strong every account in the org has to be. Length, complexity, expiration, history, lockout threshold - every password rule for non-SSO users.

§ 03

Worked example

scenario · real-world use

Following a security audit, the admin at Granite Financial strengthens Password Policies by increasing the minimum length from 8 to 14 characters, requiring at least one uppercase letter, one number, and one special character, setting passwords to expire every 90 days, and enforcing that the last 12 passwords cannot be reused.

§ 04

Why Password Policies set the floor on how strong every account in the org has to be

Password Policies is the page where every password rule for the org gets defined - minimum length, character classes required, expiration interval, password history, lockout threshold. The defaults are deliberately moderate; what you choose here applies to every user who isn't logging in via SSO, every API user, every integration credential. The strictness of this page is the floor your account security can't drop below.

The reason most orgs end up tightening these defaults is that compliance frameworks expect specific values - NIST guidelines, PCI requirements, SOC 2 controls all reference password policy parameters explicitly. Set them to match your tightest applicable standard, document the alignment, and check the page during every audit cycle. Where you can replace passwords with SSO entirely (the right answer for most workforce accounts), this page becomes less consequential - but it never goes away while integration users exist.

§ 05

How to set up Password Policies

Password Policies are the global rules around how user passwords behave — length, complexity, expiration, lockout. Org-default policies apply to everyone; profile-level policies override the default for users on that profile.

  1. Open Setup → Password Policies

    Setup gear → Quick Find: Password Policies → Password Policies.

  2. Set User passwords expire in

    Default: 90 days. For compliance-heavy industries, 60 days. For low-risk consumer-facing orgs, 1 year. Never works but raises Health Check flags.

  3. Set Enforce password history

    How many of the last N passwords can't be reused. Default 3; recommend 5+.

  4. Set Minimum password length

    Default 8. Modern recommendation is 12-14 for a single-factor org; less critical with MFA enforced.

  5. Set Password complexity requirement

    Letters and numbers / Letters, numbers, special chars / etc. Default is Letters and numbers.

  6. Set Maximum invalid login attempts and Lockout effective period

    Lockout after N failed attempts; lockout lasts X minutes. Common: 10 attempts, 30 min lockout.

  7. Configure profile-level overrides

    Profile-detail page → Password Policies section → override any of the above for users on that profile.

Key options
User passwords expire inremember

1 day to 1 year, or Never (raises Health Check flag).

Enforce password historyremember

0 to 24 prior passwords.

Minimum password lengthremember

5 to 50.

Password complexity requirementremember

No restriction / Must mix letters and numbers / Letters, numbers, and one special / Letters, numbers, and one special excluding hexadecimal.

Max invalid login attempts and Lockout durationremember

1 to 10 attempts; 15 min to 24 hr lockout.

Gotchas
  • Profile-level password policies override the org default. A user on a profile with stricter policies follows the profile; a user on a profile with relaxed policies follows the relaxed one. Audit per-profile if a user's behavior surprises you.
  • Stricter complexity rules combined with short expiration drives users to write passwords down — a security anti-pattern. MFA + a longer expiration is usually better than complex-and-short.
  • Lockout out users still need an admin to unlock (or wait the lockout period). Have a clear admin-on-call process for lockouts to avoid Friday-evening emergencies.
§ 06

How organizations use Password Policies

Pacific Crest Bank

Tightened policies to match NIST guidelines; the org passed compliance with current standards.

BlueRiver Health

HIPAA-aligned password policies enforced through the platform; auditors verified compliance via the configuration.

§

Trust & references

Official documentation

Straight from the source - Salesforce's reference material on Password Policies.

Was this entry helpful?
Help us write better definitions. Quick reactions or detailed edit suggestions.
§

Test your knowledge

Q1. Why is understanding Password Policies important for Salesforce admins?

Q2. What is the primary benefit of Password Policies for Salesforce administrators?

Q3. Can a Salesforce admin configure Password Policies without writing code?

§

Discussion

Loading…

Loading discussion…

Back to Dictionary