Salesforce Password Security Practices

Are you still recycling passwords you’ve used before, sharing the same password for multiple accounts, or writing passwords on post-it notes? If so, you’re not alone… but it’s time to break the habit! All of these behaviors can make your Salesforce environment vulnerable, so there’s no time like the present to ramp up your best practices. The good news is Salesforce offers a variety of options for security controls that you can enable.

Technology has enabled organizations and companies to collect data in many different ways. As we charge forward into a more digital world, privacy and security aren’t only limited to the physical confines of your office space and filing cabinet. You wouldn’t make a bunch of copies of your office keys and leave them displayed on the welcome mat, and it’s just as important to routinely audit the state of your data and its security, both for your own sake and for your constituents. It’s time to take a hard look at how your password & security practices need to advance.

All the features discussed below are accessible under Salesforce’s Setup menu, in the Security section. Access Setup by clicking the gear icon (located on the far right of the screen) and selecting Setup.

From there, scroll down to the Security section to see the whole list of features, or use the “quick find” search box to find ‘Password Policies’ or ‘Session Management’.

Password Policies Settings

This section lets you easily see your options for customizing security rules features. We’ll go through this in a more logical order than the page itself does.

1. Password Length
   In short, the longer the better! Salesforce requires that passwords contain at least 8 characters along with one number and alphabetic character, but you can increase this minimum length. Passwords with more characters means more possible character combinations, increasing the strength of the password. We suggest at least 15 characters (a combination of letters both upper and lower case, numbers, and symbols like !, @, #,*).
2. Password Complexity
   Hand-in-hand with password length is the complexity of your password. It should always be unique (no recycling) and not obvious. Some organizations fall into the practice of using obvious passwords to avoid recycling, but this method creates vulnerabilities as well. For example, using a password that contains any or part of the organization name, the current year or the year the org was funded, or any relation to the website are all obvious and guess-able passwords.
   
   The best way to avoid all these pitfalls is to use truly random strings of characters, which is possible if your organization adopts a password management/generator tool like 1Password or generate a unique password using the passphrase method. (But note that this means the same rules apply regarding password length and complexity for your MAIN password to access the tool!. Using a guessable password for a tool that houses all your passwords is like leaving your data out in a convenient carrying case for any passerby to grab all at once.)
3. Password Expiration
   Employ custom settings to set password expirations and force users to change their passwords at a set period. At default, Salesforce sets expirations at 90 days, although 30 days is an option as well as passwords that ‘never’ expire. Best practices are to ask people to change their password if it has been compromised and not require regular resets. Use of this password policy requires the use of the Enforce Password History feature.
4. Enforce Password History
   This security feature involves Salesforce remembering previously used passwords, so when a user resets a password, they can’t simply recycle an old one. This supports the best practice of having unique passwords.
5. Maximum Invalid Login Attempts
   This security measure is always helpful for safe-guarding attacks. After a certain number of failed login attempts, the user will be locked out for a certain period of time or require admin action to let them back in. A reasonable number of login attempts may be from 3 to 5.
6. User Lockout Effective Period
   Related to the previous tip, after a number of unsuccessful login attempts, you can customize how long the user is locked out of the system. This discourages attackers from ongoing attempts to access the system. Setting a lockout period that is discouraging to attackers and doesn’t cause a great hindrance to your users is key, a period of 15 minutes is a decent middle-ground.

Session Management – Other Means to Secure Your Salesforce Environment

This section lets you easily control user sessions. We’ll point out the important items to pay attention to.

1. Force logout on session timeout
   Many applications and tools feature a forced logout due to inactivity, like if a user walks away from their computer for a few hours or overnight. This simple security measure will secure your data by preventing some other user from taking over the logged-in session.
2. Multiple Factor Authentication
   Salesforce has rolled out a new multiple factor authentication (MFA) requirement, so it’s likely your admin may already have this active in your account. A quick guide for enabling MFA is below, for more information read our previous post about Salesforce MFA.
   1. Find Session Security Levels under Session Settings and move MFA to the right column
   2. Create new permission set
   3. Find System Permissions (in the System section of Settings) and edit ‘MFA for User Interface Logins’
   4. Assign the permission set to appropriate users
3. Set business hours
   You can set restrictions for your Salesforce environment based on business hours to restrict access during off-hours. This precaution helps prevent attackers from accessing data overnight or during questionable hours. This measure is applied to users based on their assigned Profile. To adjust this setting navigate to Profiles in Setup, select the individual Profile you’d like to change and scroll down to the ‘Login Hours’ section.
4. IP Restrictions
   Salesforce allows administrators to set restrictions on IP addresses to prevent login/access from any untrusted IPs and/or IP ranges. This is a helpful security measure for organizations with users that work in-office on a secure network or with a VPN, and should never need to log in from any other location or machine. This feature is applied to users based on their assigned Profile. To adjust this setting navigate to Profiles in Setup, select the individual Profile you’d like to change and scroll down to the ‘IP restrictions’ section.

Tips for Salesforce Administrators

Conduct a Salesforce Health Check – A powerful tool for a quick audit and assessment of your system. The Health Check will assess and compare your environment to Salesforce’s recommended settings, detailing settings that aren’t aligned with Salesforce’s security recommendations.

Use Health Check to quickly update your instance and fix security risks

• Use the Fix Risks button to manage settings at once, or
• Peruse the detailed list of risks and click ‘Edit’ to navigate to each section for manual changes

Track/Audit login history – Salesforce maintains 6 months of login history per user. If there is a suspected breach or misuse of the system, an admin can run these login history reports to view login attempts (successful and unsuccessful) and login specs to help determine how and where the system was accessed (including IP information). Login History is obtainable under the Identity section of Set-up and available for export via CSV as needed.

Salesforce has created features for you to keep your environment as secure as possible. Implementing these best practices over time will help your staff adjust and add protection to your Salesforce Environment. What are you waiting for? Get started with just one setting today.

Want help implementing these settings, send a request to your support email or contact us to talk about how we can help with your Salesforce needs.

More from Our Series on Cybersecurity:

• Proactive Cybersecurity Action for Your Website and CiviCRM
• Protect Your WordPress Ecosystem
• Nonprofit Leadership’s Role in Cybersecurity

Other Resources:

• Netsec News Summary of NIST Password Recommendations
• 1Password
• Passphrase Method
• Salesforce MFA