Definition
Password Policies is a Setup page where administrators define the password requirements for users in the org. Settings include minimum password length, complexity requirements (uppercase, lowercase, numbers, special characters), password expiration intervals, password history enforcement, and maximum login attempts before lockout.
Real-World Example
Following a security audit, the admin at Granite Financial strengthens Password Policies by increasing the minimum length from 8 to 14 characters, requiring at least one uppercase letter, one number, and one special character, setting passwords to expire every 90 days, and enforcing that the last 12 passwords cannot be reused.
Why Password Policies Matters
Password Policies is a Setup page where Salesforce administrators define the authentication requirements users must meet when creating or changing passwords. These settings include minimum password length, complexity requirements (uppercase, lowercase, numbers, special characters), password expiration intervals, password history enforcement (preventing reuse of recent passwords), and maximum failed login attempts before account lockout. This is a foundational security control — without strong password policies, organizations expose themselves to brute-force attacks, credential stuffing, and unauthorized access. It's often the first thing a security auditor reviews during compliance assessments.
As organizations scale and face regulatory requirements like SOX, HIPAA, or PCI-DSS, Password Policies become a compliance checkpoint rather than just a best practice. Auditors specifically examine password length minimums, expiration intervals, and lockout thresholds. Organizations that set weak policies — such as 8-character minimums with no complexity requirements — are flagged as non-compliant and risk failing audit findings. However, overly aggressive policies create their own problems: frequent password rotations and extreme complexity requirements cause users to write passwords on sticky notes or use simple patterns (Password1!, Password2!). The modern best practice is to pair strong Password Policies with multi-factor authentication (MFA), which Salesforce now requires, creating a defense-in-depth approach that is both secure and user-friendly.
How Organizations Use Password Policies
- Granite Financial — Following a SOX compliance audit, Granite Financial's admin increases the minimum password length from 8 to 14 characters, requires uppercase letters, numbers, and special characters, sets expiration to 90 days, and enforces 12-password history. These changes satisfied all 7 audit findings related to authentication controls.
- Trident Healthcare — Trident Healthcare configures Password Policies to meet HIPAA requirements for their 800-user org. They set maximum login attempts to 5 before lockout with a 30-minute lockout duration. When a phishing attack targeted 40 employees, the lockout policy prevented any unauthorized access despite 12 employees clicking the malicious link.
- Velocity Retail — Velocity Retail's seasonal workforce of 200 temporary employees posed a password management challenge. The admin configured a separate Password Policy for the seasonal user profile with 90-day expiration and 10-character minimum, while permanent employees follow a stricter 14-character policy with 60-day expiration. This balanced security with the practical needs of high-turnover roles.