Password policies in Salesforce are a set of rules and configurations that govern how users create, manage, and reset their passwords within your Salesforce org. As a Salesforce Admin, you are responsible for setting these policies to balance strong security with a positive user experience.
These policies sit within the broader data security model of Salesforce, which also includes IP restrictions, login hours, object permissions, and field-level security. Mastering password policies is not just an exam requirement — it is a critical day-to-day admin responsibility that directly impacts the security posture of your entire organization.
Why This Matters Weak password practices are among the most common causes of data breaches. A well-configured password policy is your first line of defense against unauthorized access to sensitive CRM data.
Two Levels of Password Policy in Salesforce
Salesforce allows admins to configure password policies at two distinct levels. Understanding the difference is essential, both for your Salesforce org and for the Admin certification exam.
Organization Level
- Applies to all users by default
- Set once, applies uniformly across the org
- Best for simple orgs or organizations with uniform security needs
- Found under: Setup → Password Policies
Profile Level
- Overrides the org-level policy for users assigned to a specific profile
- Provides granular control based on role or user type
- System Administrators can have stricter rules than standard users
- Found under: Setup → Profiles → [Profile Name] → Password Policies
Exam Tip The Salesforce Admin exam frequently tests whether profile-level policies override org-level policies. The answer is yes — profile-level always takes precedence when configured.
Key Password Policy Settings Explained
When you navigate to Setup → Quick Find → Password Policies, you will encounter the following configurable settings:
| Setting | What It Controls | Recommended Value |
|---|---|---|
| User passwords expire in | How long before a password must be changed | 90 Days |
| Enforce password history | Number of previous passwords a user cannot reuse | 3 Passwords |
| Minimum password length | The fewest characters allowed in a password | 8–12 Characters |
| Password complexity requirement | Whether uppercase, numbers, or symbols are required | Must mix letters & numbers |
| Password question requirement | Controls whether security question can match the password | Cannot contain password |
| Maximum invalid login attempts | Failed logins before account lockout | 3–5 Attempts |
| Lockout effective period | How long the account stays locked after max failures | 15–30 Minutes |
| Obscure secret answer | Hides security question answers with asterisks | Enabled |
Â
Password Complexity Options in Detail
Salesforce provides multiple levels of password complexity. Understanding these levels is important for configuring the right balance of security and usability:
- No restriction — Any combination of characters is accepted. This is not recommended for production orgs.
Must mix alpha and numeric — Passwords must contain at least one letter and one number. This is the most commonly used setting in real-world orgs.
Must mix alpha, numeric, and special characters — Requires at least one special character such as
! @ # $ %. Best for high-security environments.Must mix uppercase, lowercase, alpha, numeric, and special characters — The most stringent option, often used for System Administrator profiles.
Pro Tip Consider applying different complexity requirements for different profiles. Use the strictest setting for System Administrators and Integration Users, while applying a simpler rule for standard users to reduce support tickets.
Login Attempt Limits and Lockout Policy
Brute-force attacks are a real threat. Salesforce’s lockout policy helps mitigate this risk by limiting failed login attempts. Here is how it works:
When a user exceeds the configured number of failed login attempts (for example, 5), their account is automatically locked for the configured lockout period. During this time, even the correct password will not grant access.
Locked users have three ways to regain access:
- Admin Reset — A Salesforce Admin can manually unlock the account from the user record in Setup.
- Self-Service Unlock — If the org has self-service login enabled, users can follow a verification link sent to their email.
- Wait It Out — When the lockout period expires, access is automatically restored.
Important Setting the maximum login attempts to No limit is a security risk. It removes the lockout protection entirely, making your org vulnerable to automated brute-force attacks. Always configure a reasonable limit.
How to Configure Password Policies in Salesforce: Step-by-Step
Follow these steps to configure password policies in your Salesforce org:
Step 1: Log in and go to Setup Click the gear icon (âš™) in the top-right corner of your Salesforce org and select Setup from the dropdown menu.
Step 2: Find Password Policies In the Quick Find search box on the left sidebar, type “Password Policies” and select it from the results.
Step 3: Configure Org-Level Settings Set values for password expiration, minimum length, complexity, history enforcement, and lockout policy according to your organization’s security requirements.
Step 4: Set Profile-Level Overrides (Optional) Navigate to Setup → Users → Profiles, open a specific profile, scroll to the Password Policies section, and apply different settings as needed.
Step 5: Configure Password Expiration Warnings (Optional) Choose how many days in advance to notify users about upcoming password expirations to reduce disruption and helpdesk volume.
Step 6: Enable Self-Service Password Reset (Optional) Decide which self-service methods users can use — such as email verification or security questions — to reset their own passwords without admin intervention.
Step 7: Save and Communicate to Users Click Save. Inform your users of any policy changes, especially if passwords will expire soon as a result of the new settings.
Learn These Concepts Inside Out Our Salesforce Admin Certification Course covers all password policy settings, data security topics, and exam scenarios with hands-on practice exercises. View Salesforce Admin Course
Password Reset Options for Admins
As a Salesforce Admin, you have several tools for managing user password resets:
Resetting a Single User's Password
Go to Setup → Users → Users, find the user, open their user record, and click Reset Password. Salesforce will send a password reset email to the user’s registered email address.
Resetting Passwords in Bulk
In the Users list view, select multiple users using the checkboxes and click the Reset Password(s) button. This is particularly useful after a suspected security incident or when onboarding a batch of new users.
Granting "Password Never Expires"
For system-to-system integration users or service accounts, you may want to grant the Password Never Expires permission. This can be done via a permission set or directly on the user’s profile. Use this sparingly, as it bypasses a key security control.
Admin Best Practice For integration users that authenticate via API, consider using a Named Credential or OAuth flow instead of username/password authentication. This removes the dependency on password expiry cycles entirely.
Best Practices for Password Policies in Salesforce
Experienced Salesforce Admins follow these guidelines when managing password policies:
- Set a minimum password length of at least 8 characters — with 12 recommended for Admin and power users.
- Enforce password complexity that combines uppercase, lowercase, numbers, and symbols for elevated profiles.
- Configure a password history of at least 3 passwords to prevent simple recycling patterns.
- Set password expiration to 90 days for standard users and 60 days for users with admin privileges.
- Enable the lockout policy with a limit of no more than 5 failed login attempts.
- Use profile-level overrides for System Administrators to apply the most stringent rules.
- Combine password policies with IP restrictions and login hours for a defense-in-depth approach.
- Regularly audit login history via the Login History report to detect unusual patterns or brute-force attempts.
- Notify users in advance when passwords are about to expire to reduce helpdesk volume.
- Consider enabling Multi-Factor Authentication (MFA) alongside password policies for an additional security layer.
Password Policies and Multi-Factor Authentication (MFA)
Starting from 2022, Salesforce made Multi-Factor Authentication (MFA) a requirement for all users who log in via the user interface. MFA works alongside password policies — rather than replacing them. Even with MFA enabled, the password policy settings remain relevant for API users and for the password itself as the first authentication factor.
MFA adds a second verification step (such as the Salesforce Authenticator app or a third-party TOTP app) after the correct password is entered. This significantly reduces the risk of unauthorized access even if a user’s password is compromised.
Exam Tip The Admin certification exam may ask about the relationship between password policies and MFA. Remember: MFA is an additional layer of security — it does not replace the need for strong password policies. Both must be configured properly.
Frequently Asked Questions
Can a profile-level password policy be less strict than the org-level policy?
Yes. When you configure a password policy at the profile level, it fully overrides the org-level policy for users assigned that profile — in either direction. You can make it stricter or more lenient. This is why it is important to carefully configure profile-level policies, especially for integration profiles that may need special settings.
What happens when a user's password expires in Salesforce?
When a password expires, Salesforce will prompt the user to create a new password the next time they attempt to log in. The system will block access to the org until the user completes the password change. This is why enabling expiration warning notifications is a best practice — it allows users to proactively update their passwords before being locked out mid-session.
Where is the Password Policies setting in Salesforce Setup?
Navigate to Setup (gear icon → Setup), then type “Password Policies” into the Quick Find box in the left sidebar. Click the result to open the org-level password policy configuration page. For profile-level settings, navigate to Setup → Users → Profiles → [Profile Name], and scroll to the Password Policies section within the profile detail page.
How do I unlock a locked Salesforce user account?
Go to Setup → Users → Users, find the locked user, and open their user record. You will see an “Unlock” button at the top of the page. Click it and the user’s account will be immediately unlocked. You may also want to reset their password at the same time if a security incident prompted the lockout.
Can I prevent users from using dictionary words as passwords?
Yes. Salesforce provides a password policy option to block the use of common dictionary words or easily guessable terms. Enabling the dictionary word restriction adds another layer of protection by rejecting passwords that match common words, even if they technically meet the length and complexity requirements.
Are password policies tested in the Salesforce Admin Certification exam?
Absolutely. Password policies fall under the Security and Access domain, which typically accounts for around 20% of the Salesforce Certified Administrator exam. You should understand org-level vs profile-level settings, lockout behavior, password expiration, complexity options, and how MFA relates to password policies.
Ready to Ace the Salesforce Admin Exam?
Understanding password policies in Salesforce is just one piece of the certification puzzle. Our Salesforce Admin Certification Course at MyTutorialRack covers every exam domain in depth — including:
- Security & Access (Password Policies, Profiles, Roles, Permission Sets)
- Data Management & Data Security Model
- Automation with Flows & Process Builder
- Reports, Dashboards & Analytics
- Sales Cloud & Service Cloud Fundamentals
- Full-length Mock Exams & Practice Questions
Whether you are a beginner stepping into the Salesforce ecosystem or a professional looking to validate your skills, this course will guide you from zero to certified.
