function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Encrypted Custom Fields

Does anyone have any experience using the encrypted fields feature?  I have added an encrypted custom field to the USER object where I store a password.  I want to use this field in some javascript in a custom button.  Like this...
if (xmlhttp)
{'GET', '{!User.Remail__c}&pwd={!User.RPassword__c}', false);
I'm guessing it's still encrypted when it sends the request because it doesn't work.  Is this even possible?  I appreciate the help!!
The API, just like the UI, respects the View Encrypted Fields permission on the user profile.  If the user who is logged in does not have that permission, then your javascript code that they are running will return the masked value.
Thanks mscotton!
I guess I knew that but didn't want to hear it.  If I make the user able to view encrypted fields so I can use it in my script, can you suggest any way to prevent it from being displayed on the user detail page?  Or do you think this feature was not intended for storing a password and try something else like putting it in a cookie?
This feature was not intended to store passwords on the User object.  What are other folks doing for this requirement?

I'm at a loss here buddy.  I was hoping someone would tell me the answer to that question.  I have search the boards but haven't found anything.  Using the encrypted field feature was actually an idea suggested to me by Salesforce.  I experimented with the cookie idea and tested some ideas.  Can I use this in an <apex:page>?  I tried to create one but I got errors.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"


<html lang="en">


<form name="cookieform" action="#">

<p>email <input name="cookievalue1" /></p>

<p>password <input name="cookievalue2" /></p>


<p><a href="javascript:saveIt('ppkcookie1')" class="page">Save</a><p/>

<a href="javascript:readIt('ppkcookie1')" class="page">Read email</a><br />

<a href="javascript:readIt('ppkcookie2')" class="page">Read password</a></p>

<a href="javascript:eraseIt('ppkcookie1')" class="page">Erase cookies</a><br />




<script type="text/javascript">

var advancedJavaScriptSupport = document.createElement && document.getElementsByTagName && createXMLHTTPObject();

function XMLHttpFactories() {

return [

function () {return new ActiveXObject("Msxml2.XMLHTTP")},

function () {return new ActiveXObject("Msxml3.XMLHTTP")},

function () {return new ActiveXObject("Microsoft.XMLHTTP")}



function createXMLHTTPObject() {

var xmlhttp = false;

var factories = XMLHttpFactories();

for (var i=0;i<factories.length;i++) {

try {

xmlhttp = factories[i]();


catch (e) {





return xmlhttp;


var Cookies = {

init: function () {

var allCookies = document.cookie.split('; ');

for (var i=0;i<allCookies.length;i++) {

var cookiePair = allCookies[i].split('=');

this[cookiePair[0]] = cookiePair[1];



create: function (name,value,days) {

if (days) {

var date = new Date();


var expires = "; expires="+date.toGMTString();


else var expires = "";

document.cookie = name+"="+value+expires+"; path=/";

this[name] = value;


erase: function (name) {


this[name] = undefined;




function saveIt(name) {

var x = document.forms['cookieform'].cookievalue1.value;

var y = document.forms['cookieform'].cookievalue2.value;

if (!x)

alert('Please fill in a value in the input box.');

else {



alert('Cookie created');



function readIt(name) {

alert('The value of the cookie is ' + Cookies[name]);


function eraseIt(name) {



alert('Cookies erased');


function init() {

for (var i=1;i<3;i++) {

var x = Cookies['ppkcookie' + i];

if (x) alert('Cookie ppkcookie' + i + '\nthat you set on a previous visit, is still active.\nIts value is ' + x);




Tom H.Tom H.

How about this?  Write a global APEX class with global functions that encrypt and decrypt the password.  Define the encryption key with a non-global static class variable.  Stick the class in a managed package.  The key should be secure an obfuscated on any org where you install your package.  You're packaged global class can call out to the crypto class to perform the encryption and decryption.


After you install your package on the instance where you need the encyrpted password, write an update/insert trigger on the user sObject to call your packaged class to encrypt the custom password field whenever someone inserts a record or someone changes the value in the custom password field.  For your Visual Force page, create a controller class to grab the password and decrypt it using your packaged class.