When is using System.setPassword() acceptable in managed packages?
Answer
Using `System.setPassword()` is not acceptable in managed packages. This method should not be exposed to end-users as it introduces security vulnerabilities. Instead, password management should be handled through secure mechanisms like email-based reset processes.
When is using System.setPassword() acceptable in managed packages?
Recommended Answer Update
Using `System.setPassword()` is not acceptable in managed packages. This method should not be exposed to end-users as it introduces security vulnerabilities. Instead, password management should be handled through secure mechanisms like email-based reset processes.
Reasoning
The FAQ is accurate and well-structured, clearly stating that System.setPassword() is not acceptable in managed packages and explaining why. The content aligns with AppExchange security best practices. The writing is already concise and conversational, following the style guidelines. No changes are needed to the content as it correctly addresses the security concerns around password management in managed packages. I selected two security rules that directly relate to this FAQ's content: 1) AvoidUnsafePasswordManagementUse - This rule directly addresses the core topic of the FAQ, which is about when System.setPassword() is acceptable in managed packages. The FAQ's answer that it's 'not acceptable' and introduces 'security vulnerabilities' aligns perfectly with this rule's purpose of avoiding unsafe password management practices. 2) AvoidHardcodedCredentialsInSetPassword - This rule is specifically about avoiding hardcoded credentials in setPassword methods, which directly relates to the FAQ's discussion of System.setPassword() method and its security implications in managed packages.