FAQ-001431 - Password Management Security / Password Encryption and Storage

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: What information should be provided about password management and secure login options?

Answer: Authentication Methods: Use Salesforce authentication mechanisms like OAuth, SSO, or Named Credentials instead of handling raw passwords. Secure Token Storage: Store API keys, session tokens, or OAuth tokens in protected custom settings or encrypted fields. Login Security Practices: Ensure multi-factor authentication (MFA) is supported, sensitive tokens are never logged or exposed, and all communication uses HTTPS/TLS. Compliance and Documentation: Document the secure login flow, token handling, and any compensating controls for the security review.” This aligns with Salesforce policies and avoids unsafe password handling practices.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Related Security Rules (click to view): ApexBadCrypto ApexSuggestUsingNamedCred AvoidHardcodedCredentialsInFieldDecls AvoidHardcodedCredentialsInHttpHeader AvoidHardcodedCredentialsInVarAssign AvoidHardcodedCredentialsInVarDecls AvoidUnsafePasswordManagementUse ProtectSensitiveData ApexInsecureEndpoint

Question: What information should be provided about password management and secure login options?

Recommended Answer Update: **Authentication Methods:** Use Salesforce authentication mechanisms like OAuth, SSO, or Named Credentials instead of handling raw passwords. **Secure Token Storage:** Store API keys, session tokens, or OAuth tokens in protected custom settings or encrypted fields. **Login Security Practices:** Ensure multi-factor authentication (MFA) is supported, sensitive tokens are never logged or exposed, and all communication uses HTTPS/TLS. **Compliance and Documentation:** Document the secure login flow, token handling, and any compensating controls for the security review. This aligns with Salesforce policies and avoids unsafe password handling practices.

Reasoning: The FAQ content is well-structured and accurate, covering essential password management and secure login practices. I made minimal formatting improvements by adding bold headers to improve readability and scanning, which aligns with the design for scanning guidelines. I also moved the concluding statement about aligning with Salesforce policies to the end for better flow. No outdated content was detected as all recommendations align with current Salesforce security best practices. For the security rules selected: - **ApexBadCrypto**: Relates to the FAQ's emphasis on proper encryption mentioned in "encrypted fields" for token storage - **ApexSuggestUsingNamedCred**: Directly relates to the FAQ's recommendation to "Use Salesforce authentication mechanisms like OAuth, SSO, or Named Credentials" - **AvoidHardcodedCredentialsInFieldDecls/HttpHeader/VarAssign/VarDecls**: All relate to the FAQ's guidance on secure token storage and avoiding raw password handling - **AvoidUnsafePasswordManagementUse**: Directly matches the FAQ's core message about avoiding unsafe password handling practices - **ProtectSensitiveData**: Relates to the FAQ's guidance on protecting "API keys, session tokens, or OAuth tokens" and ensuring "sensitive tokens are never logged or exposed" - **ApexInsecureEndpoint**: Relates to the FAQ's requirement that "all communication uses HTTPS/TLS"

Reasoning References

Current FAQ