Password policies

There are several password and login policy features that help you improve your organization's security. To set these password policies, navigate to Setup | Security Controls | Password Policies. Select the required settings and then click on Save.

Let's look at each of the password policies that are shown in the following screenshot:

Password policies

The user password expiration period

Password expiration periods for all users in your organization are set by the User passwords expire in picklist selection.

This sets the length of time until all user passwords expire and must be changed. Users with the Password Never Expires permission are not affected by this setting.


The options are 30 days, 60 days, 90 days, 180 days, One Year, and Never Expires.

Enforce password history

The enforce password history setting is used to remember users' previous passwords so that they must always enter a previously unused password. The password history is not saved until you set this value. You cannot select the No passwords remembered option unless you select the Never expires option for the User passwords expire in field.


The options are either No passwords remembered or between 1 password remembered and 24 passwords remembered.

Minimum password length

The Minimum password length feature sets the minimum number of characters required for a password. When you set this value, existing users are not affected until the next time they change their passwords.


The options are 5 characters, 8 characters, 10 characters, or 12 characters.

Password complexity requirement

The Password complexity requirement feature sets a restriction on which types of characters must be used in a user's password. The options are No Restriction and Must mix alpha and numeric (which require at least one alphabetic character and one number), Must mix alpha, numeric and special characters (which requires at least one alphabetic character, one number, and one of the : !, #, $, %, -, _, =, +, <, and > characters), Must mix numbers and uppercase and lowercase letters (which requires at least one number, one uppercase letter, and one lowercase letter.), and Must mix numbers, uppercase and lowercase letters, and special characters (which requires at least one number, one uppercase letter, one lowercase letter, and one of the !, #, $, %, -, _, =, +, <, and > characters).


The Must mix alpha and numeric characters option is the default option.

Password question requirement

Password question requirement setting requires a user's answer to the password hint question to not contain the password itself.


The options are either Cannot contain password, which means that the answer to the password hint question cannot contain the actual password itself, or None, which is the the default, for no restrictions on the answer.

Maximum invalid login attempts

The Maximum invalid login attempts feature sets the number of incorrect login attempts allowed by a user before they get locked out. The options are No limit, 3, 5, and 10.


The default number of invalid login attempts is 10.

Lockout effective period

The Lockout effective period feature sets the duration of the login lockout. The options are 15 minutes, 30 minutes, 60 minutes, and Forever (must be reset by admin).


The default lockout effective period is 15 minutes.

If a user gets locked out, they can either wait until the lockout effective period expires, or you can view the user's information and click on Unlock. The Unlock button is only displayed when a user is locked out.

Obscure secret answer for password resets

The Obscure secret answer for password resets feature hides the text as users type the answers to security questions. The default option is unchecked, which will display the answer in plain text when users answer a security question, say, when they're resetting their passwords.

Require a minimum 1 day password lifetime

When selected, the Require a minimum 1 day password lifetime option prevents users from changing their passwords more than once per day. The default option is unchecked, which allows users to change their password as often as they like.