FAQ-001436 - Password Management Security / Password Policy Requirements

Applications integrating with Salesforce must never store or manage user passwords directly. Use Salesforce authentication mechanisms such as OAuth, SSO, or Named Credentials to handle credentials securely. If storing sensitive data, use encrypted fields or protected custom settings for tokens or API secrets—never passwords—and follow Salesforce's secure coding and data protection guidelines.

The original answer contains excellent security guidance but has minor phrasing that could be clearer. The phrase 'not passwords' could be misinterpreted as applying only to the storage method rather than emphasizing the absolute prohibition. Changing it to 'never passwords' makes the prohibition more explicit and aligns with security best practices. Related security rules selected: - ApexSuggestUsingNamedCred: Directly relates to the FAQ's recommendation to 'use Named Credentials to handle credentials securely' - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInHttpHeader: All relate to the FAQ's guidance about avoiding direct password storage and management - AvoidHardcodedCredentialsInSetPassword: Specifically relates to the FAQ's statement that applications 'must never store or manage user passwords directly' - AvoidUnsafePasswordManagementUse: Directly applies to the overall password management requirements discussed in the FAQ - ProtectSensitiveData: Relates to the FAQ's guidance about using 'encrypted fields or protected custom settings for tokens or API secrets' - ApexBadCrypto: Relates to the FAQ's mention of following 'secure coding and data protection guidelines' which includes proper cryptographic practices