Salesforce Trust

Stay Current on Security

Salesforce is committed to setting the standard in software-as-a-service as an effective partner in customer security.


Security Best Practices

Salesforce is dedicated to helping our customers be more secure when accessing our service. With the evolving threat landscape, we strongly encourage customers take action to help prevent unauthorized access to their Salesforce orgs.

We strongly recommend that Salesforce administrators consider taking the following steps to make the experience as secure as possible for Salesforce users, while protecting company data. The following are security features available in Salesforce that provide additional layers of end-user validation or authentication:

Two-Factor Authentication

Two-Factor Authentication requires that all login attempts have both login credentials and a second authentication factor. This can be achieved by using Salesforce Authenticator or similar solutions from security vendors. Login attempts that do not have valid credentials from both sources will not be granted access to Salesforce. Learn how to implement this feature in Help & Training.

Login IP Ranges

Login IP Ranges limit unauthorized access by requiring users to login to Salesforce from designated IP addresses — typically your corporate network or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to Salesforce. Those who try to login to Salesforce from outside the designated IP addresses will not be granted access. If you are using Professional, Group, or Personal editions, you can configure Login IP Ranges under Security Controls > Session Settings. If you are using Enterprise, Unlimited, Performance, or Developer editions, you can configure Login IP Ranges under Manage Users > Profiles. Learn how to implement this feature.

TLS 1.1 or Higher

Beginning July 22, 2017, Salesforce will require secure Org connections to use the latest protocol TLS 1.1 or higher to provide a more secure environment and continued PCI compliance. Orgs using TLS 1.0 must be upgraded for continued access to API integrations, connections to communities and sites, partner app exchanges, and user browser access.

Review how your users and integrations connect to Salesforce to ensure your connections are ready to support TLS 1.1. To identify users or integrations still using TLS 1.0, Admins can add the "TLS Protocol" and "TLS Cipher Suite" fields into the Login History Report.

To make a successful transition, you should take action well before the disablement occurs. You can download the TLS 1.0 Disablement Readiness Checklist (PDF) for best practices on how to prepare for this change.

For more information, review Salesforce disabling TLS 1.0 and post your questions to the Official: Salesforce Infrastructure Success Community Group. You can also watch Secure Connections: How TLS 1.0 disablement impacts your organization (webinar) to hear the experts talk about the disablement.

If you have additional questions, please open a case with Support via the Help & Training Portal.

Educate Users About Phishing

Salesforce highly recommends phishing education for all Salesforce users. Most cyber attacks use malware (malicious software) to infect a computer with malicious code designed to steal passwords, data, or disrupt an entire computer/network. Fortunately, you don’t need to be a security expert to help stop malware.

Some simple recommendations you can make to your Salesforce users:

Teach users to not be fooled by phishing, and to not click links or open attachments in suspicious emails. One of the most effective cyber attack techniques is tricking someone to click a link or open an attachment that installs malware. These are called phishing e-mails because they lure you into opening an email. Phishing email can say something intriguing, useful, or appear to be a legitimate message from a real company (package delivery, payroll, IRS, social networking, etc.).

Instruct users to never open emails from unknown sources. Hackers want people to click on their link so that they can infect the user’s computer. Similarly, teach users that emails received from an unknown source should be evaluated based on the source and whether it makes sense. If not, it may be malicious. The sender's address should always be verified and and any links to URLs can be hovered over to validate them. For example, if the link says it’s from Salesforce, then hovering over the link should show a URL ending in "”.

If you or any of your users are unsure about whether a Salesforce email is legitimate, forward the email to See recent phishing examples below.

My Domain

My Domain allows you to add a custom domain to your Salesforce org URL. Having a custom domain lets you highlight your brand and makes your org more secure. Additionally, this allows you to follow our best practices of not specifying instance names in code and integrations (e.g. Following this best practice will provide you and your end-users a more seamless experience during any future maintenances.

Using My Domain, you define a custom domain that's part of your Salesforce domain. A custom domain is actually a subdomain of a primary domain. If we use an example of Universal Containers, their subdomain would be “universal-containers” in this My Domain example:

A custom domain name helps you better manage login and authentication for your org in several key ways. You can:

  • Block or redirect page requests that don’t use the new domain name
  • Set custom login policy to determine how users are authenticated
  • Work in multiple Salesforce orgs at the same time
  • Let users log in using a social account, like Google and Facebook, from the login page
  • Allow users to log in once to access external services
  • Highlight your business identity with your unique domain URL
  • Brand your login screen and customize right-frame content

Learn more about My Domain and how to implement it for your org.

Password Policies

Strong password security is an important first step in protecting your Salesforce accounts.

Salesforce recommends these best practices:

  1. Password expiration – Salesforce recommends no more than 90 days to force users to reset their passwords
  2. Password length – Salesforce suggestions minimum password length of 8-10 characters
  3. Password complexity – Require users to include a mix of alpha and numeric characters in their Salesforce password.
    In addition, remind users to never reuse passwords on multiple accounts, or they risk compromise of more than one of their accounts. Last, users need to understand that they must never share passwords with anyone, either online or in person -- this includes their Salesforce password.

Decrease Session Timeout Thresholds

Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from between 30 minutes and 8 hours. To change the session timeout, click: Setup>Security Controls>Session Settings.

Phishing Examples

Phishing scams use fraudulent emails to get users to reveal confidential information. Such emails typically look as though they come from a legitimate organization and may contain links to what appears to be that organization's site, but is actually a fake site designed to capture information.

Report suspicious emails by forwarding them to

As these scams get more sophisticated, it can be tough knowing whether an email is real or fake. The best way to avoid being tricked is knowing what to look for. Check out these examples of recent scams:

Report a suspicious email