Best Salesforce Login Practices

Reading Time: 4 minutes


There is an increased importance of protecting your organization and the data it holds. Organizations are holding more data now than ever before, and the quantity is expected to continue growing. With Salesforce, the security risk is identical. Salesforce contains valuable data that attackers would love to get their hands on. Fortunately, the Salesforce platform offers tools and features that empower admins to implement security controls to protect their organization’s data. It is essential you know the best Salesforce login practices to prevent unauthorized access into your Salesforce environment.

Password Policy

Password Length

Salesforce defaults to a minimum of 8 characters for their password length; however, a minimum of 15 characters is more secure. A longer password means that a larger number of possible combinations that needed to be tested before a password is compromised.

Password Complexity

I would argue that password length is more important than password complexity. Still, adding complexity to your passwords, such as numbers or special characters, can add to a higher number of possible combinations your password can be. Salesforce offers six different levels of complexity in their password policy. Find one that fits best for your organization, although I would not recommend the no restriction option.

Password Expiration

You can customize Salesforce password expiration. Salesforce offers times between “never expire” and “30 days.” The default is set to 90 days. This comes from an estimate that it takes 90 days to crack the average password hash. Having users reset their password every XX amount of days ensures that compromised hashes will most likely not be broken before the password is changed. I would recommend using at most 90 days, but again, find something that fits your organization.

Password Question Requirement

Set your password question requirement to “Cannot Contain Password” to prevent users from using their password as part of their security question. Many users try to do this to help them remember their password without jumping through the security hoops. The risk this poses is, rather obviously, significant.

Maximum invalid login attempts

It’s essential to set a certain number of failed login attempts before locking a user out. A low number of attempts could offer more security. Still, it’s important to remember that the more accounts become locked, the more time an admin spends unlocking accounts or, the more time a user must wait until their account unlocks.

Lockout Effective period

You are able to set how long a user is locked out of their account, from 15 minutes to forever. If a user is locked out indefinitely, the account must be reset by an admin.

Enforce Password history

Set Salesforce to remember previously used passwords. Save users’ password history so they must use a new, unique password when changing passwords.

Login Controls

Two-Factor Authentication

Two-Factor Authentication (also called TFA or MFA) is one of the most effective ways to protect your user’s accounts. Two-factor Authentication requires a second level of authentication for every user login. If enabled in Salesforce, users must download an app such as Salesforce Authenticator to provide the second factor of authentication.

IP Restrictions

Minimize the risk of unauthorized access from compromised accounts by limiting the IP ranges users are able to log in from.

Single Sign On (SSO)

Single Sign-On lets users log into multiple resources through one login. This reduces admin costs by managing fewer passwords. Users spend an average of 5-20 seconds to sign into an online app. This is done by validating usernames and passwords against your corporate user database or other client app rather than Salesforce managing separate passwords for each resource.

Set Business Hours

Set hours of operation in which users are able to login and access your Salesforce org. If this method applies to your org, it can help restrict logins from unauthorized or compromised accounts.

Custom login Flows

Build custom login flows and build post-authentication processes. For example, you can have a user define a secret question and validate the answer login. You are also able to set up a policy that sends a notification every time a user logs in during non-standard working hours. Build a custom login process that makes sense to your organization.

Track login History

Salesforce allows you to track login history and download six months of login history.

Force logout on Session Timeout

This requires session timeouts for inactive users, refreshes the browser, and sends the user to the Salesforce login page.

Have any questions about best Salesforce login practices or Salesforce security? Please contact us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.


Join 14,000+ business executives and decision makers

Upcoming Events

Upcoming Events

Latest Insights

About The Author