function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Password Policies

Hi All,

Is there a way in Apex to see if the specified text passes the salesforce password policies. 

Use Case: In our customer portal, we are allowing new users to register for the portal. So we are inserting a new user and setting the password in the same call. Now if the password doesnt pass the password policies, than the user is created in sf, but the password is not set. (we are not using temporary password approach)

Varun PareekVarun Pareek
I don't think so that it is exposed via apex. As a workaround - you can create a REGEX for it and manage that expression via a custom setting/label. You need to make sure that as part of org administration whenever the policy is updated, the same is reflected in the REGEX. Not the most ideal solution, but a workaround.
Thanks for your reply.
What about errors like 'INVALID_NEW_PASSWORD: Your password cannot be easy to guess. Please choose a different one.'. How can these be captured in the REGEX ?
Varun PareekVarun Pareek
Well, REGEX can define the complexity of the password like how many special chars you want to have, how many digits etc. I am not sure what exactly "INVALID_NEW_PASSWORD' message applies to, but I am fairly certain that this message pops up when the password complexity is NOT met. You can use REGEX to validate/define the password complexity you need. There are other policies as well like "Enforcing password history", "Minimum password length" etc. which can be implemented. Totally depends on how deep you want to go.
Thanks again. We hacve set the password policies to min 5 chars and no complexity restrictions. Still if i try to set 'password' as the password, it gives the above error. So not sure whats sf quidelines are for 'easy to guess' passwords. 
Varun PareekVarun Pareek
That looks like an internal password restriction enforced by the "platform" and not by the policies that you define. You may want to configure such "passwords" in a custom setting but the larger question would be that do we have a comprehensive list of all the passwords that all not allowed. Not to my knowledge. You can try your luck by opening a SF case.
I did opened a case with SF, so lets see what they have to say. I will update this story with my findings. Thanks.
In past whenever i got a chance to discuss this with salesforce security team (indirectly, of course), I got an answered that the security policies and processes undergo constant updates and revisions, some of which would not be shared in public knowledgebase, and this is to ensure that teh platform is secure. I would highly doubt that you would be able to get a perfect REGEX check done, but would be watching this thread to see if you get a solution :)