Password policies
There are several password and login policy features that help you improve your organization's security. To set these password policies, navigate to Setup | Security Controls | Password Policies. Select the required settings and then click on Save.
Let's look at each of the password policies that are shown in the following screenshot:
The user password expiration period
Password expiration periods for all users in your organization are set by the User passwords expire in picklist selection.
This sets the length of time until all user passwords expire and must be changed. Users with the Password Never Expires permission are not affected by this setting.
Enforce password history
The enforce password history setting is used to remember users' previous passwords so that they must always enter a previously unused password. The password history is not saved until you set this value. You cannot select the No passwords remembered option unless you select the Never expires option for the User passwords expire in field.
Minimum password length
The Minimum password length feature sets the minimum number of characters required for a password. When you set this value, existing users are not affected until the next time they change their passwords.
Password complexity requirement
The Password complexity requirement feature sets a restriction on which types of characters must be used in a user's password. The options are No Restriction and Must mix alpha and numeric (which require at least one alphabetic character and one number), Must mix alpha, numeric and special characters (which requires at least one alphabetic character, one number, and one of the : !, #, $, %, -, _, =, +, <, and > characters), Must mix numbers and uppercase and lowercase letters (which requires at least one number, one uppercase letter, and one lowercase letter.), and Must mix numbers, uppercase and lowercase letters, and special characters (which requires at least one number, one uppercase letter, one lowercase letter, and one of the !, #, $, %, -, _, =, +, <, and > characters).
Password question requirement
Password question requirement setting requires a user's answer to the password hint question to not contain the password itself.
Maximum invalid login attempts
The Maximum invalid login attempts feature sets the number of incorrect login attempts allowed by a user before they get locked out. The options are No limit, 3, 5, and 10.
Lockout effective period
The Lockout effective period feature sets the duration of the login lockout. The options are 15 minutes, 30 minutes, 60 minutes, and Forever (must be reset by admin).
If a user gets locked out, they can either wait until the lockout effective period expires, or you can view the user's information and click on Unlock. The Unlock button is only displayed when a user is locked out.
Obscure secret answer for password resets
The Obscure secret answer for password resets feature hides the text as users type the answers to security questions. The default option is unchecked, which will display the answer in plain text when users answer a security question, say, when they're resetting their passwords.