FAQ-001428 - Password Management Security / Password Echo Prevention

A 'password echo' vulnerability happens when sensitive information, like passwords or secret keys, is displayed in plain text or can be accessed through methods like inspect-element in a user interface. This can lead to unauthorized access and data compromise. To prevent this vulnerability: 1. Avoid displaying sensitive data, such as passwords, in plain text on the user interface. 2. Mask sensitive information by showing only partial data (e.g., the last two digits) if needed. 3. Ensure sensitive data isn't accessible through browser developer tools or inspect-element options. 4. Use secure storage mechanisms, like protected custom settings, named credentials, or metadata, for sensitive information. 5. Follow secure coding practices to handle sensitive data appropriately. These steps help protect sensitive information from unauthorized exposure.

The main improvement is using the contraction 'isn't' instead of 'is not' to align with the FAQ brand and tone guidelines calling for conversational language and contractions. Additionally, I updated the secure storage guidance from 'protected custom settings or metadata' to 'protected custom settings, named credentials, or metadata' to better reflect modern Salesforce security best practices, particularly given that named credentials are the recommended approach for storing external system credentials. Regarding the related security rules: These rules all directly relate to preventing hardcoded sensitive data and protecting credentials, which is the core vulnerability being discussed: 1. AvoidHardcodedCredentialsInFieldDecls - Detects hardcoded credentials in field declarations, directly related to the FAQ's advice about avoiding plain text passwords in code 2. AvoidHardcodedCredentialsInVarAssign - Catches hardcoded credentials in variable assignments, relating to the FAQ's guidance on secure coding practices 3. AvoidHardcodedCredentialsInVarDecls - Identifies hardcoded credentials in variable declarations, supporting the FAQ's recommendation to avoid displaying sensitive data 4. AvoidHardcodedCredentialsInHttpHeader - Prevents hardcoded credentials in HTTP headers, aligning with the FAQ's advice on secure storage mechanisms 5. AvoidHardCodedCredentialsInAura - Detects hardcoded credentials in Aura components, directly supporting the FAQ's point about browser developer tools accessibility 6. AvoidHardcodedSecretsInVFAttrs - Catches hardcoded secrets in Visualforce attributes, relating to the FAQ's guidance on preventing plain text exposure 7. ProtectSensitiveData - General rule for protecting sensitive information, directly matching the FAQ's overall theme of protecting sensitive data from unauthorized exposure 8. ApexSuggestUsingNamedCred - Recommends using named credentials for external authentication, supporting the updated guidance on secure storage mechanisms