FAQ-001430 - Password Management Security / Password Echo Prevention

To implement password change functionality securely: **Use Salesforce-managed authentication:** Rely on standard Salesforce password change flows or SSO/OAuth mechanisms. **Never echo passwords:** Don't display, log, or store passwords anywhere in your app. **Secure token handling:** For API tokens or authentication secrets, store them in protected custom settings, encrypted fields, or Named Credentials. **Sanitize inputs:** Ensure all user input is validated and never injected into UI or logs. **Follow MFA and secure login best practices:** Enforce multi-factor authentication and secure transport (HTTPS/TLS). This aligns with Salesforce security policies and avoids unsafe practices.

The suggested rewrite provided in the prompt is already well-structured and addresses the key security concerns appropriately. I made minimal formatting adjustments to improve readability by using proper bullet points and slightly more conversational language ("Don't" instead of "Do not"). The content correctly emphasizes using Salesforce-managed authentication rather than custom password handling, which is the fundamental security principle for this topic. Regarding security rules selection: - AvoidUnsafePasswordManagementUse: Directly relates to the core topic of implementing password change functionality securely - AvoidHardcodedCredentialsInSetPassword: Relates to the "Never echo passwords" guidance and avoiding unsafe password practices - AvoidHardcodedCredentialsInFieldDecls/VarDecls/VarAssign: Support the guidance about not storing passwords in custom objects or variables - ApexSuggestUsingNamedCred: Directly supports the recommendation to "store them in protected custom settings, encrypted fields, or Named Credentials" - ProtectSensitiveData: Broadly applies to the overall guidance about protecting sensitive authentication data