Using a Password Manager

Using multiple sandboxes for Salesforce development is a best practice. You want at least one sandbox per user. Even better is when you can use different environments for different features. Of course, this means you’ll have to manage login credentials for your various environments.

We highly recommend using a password manager like LastPass or 1Password. This is valuable for a number of reasons. Not having to remember which password pairs with which username is a major convenience. But password managers bring some significant security benefits as well.

Secure Passwords

Password security is important. Sometimes all that stands between a potential attacker and full access to your Salesforce environment and data is your password. Passwords that can withstand brute-force attacks are important.

Of course, there is a lot of competing information on password security. Many companies have different policies and requirements like requiring you to use upper and lower case letters, numbers and certain “special” characters like !@#$ (but annoyingly not others like ^&*). Salesforce requires a minimum of 8 letters and at least 1 letter and 1 number by default.

But this XKCD on password strength is illustrative:

xkcd on password strength

Sometimes creating passwords like @L3XisSuper1337 seem more secure but they are in fact easier for a computer to guess and harder for you to remember.

Create Unique Passwords for Each Account

Having a unique password for each account is a good idea. If one of your passwords is compromised you don’t want the attacker to have access to all of your other Salesforce sandboxes or other accounts. Password managers remove the burden of having to remember each unique (and ideally lengthy password) from you by automatically storing your information.

Automatically Generate Secure Passwords

With a good password manager you also don’t have to think up new secure passwords. The major password managers all have tools for generating compliant passwords for many sites. LastPass allows you automatically generate secure passwords that meet those criteria with the click of a button.

A password manager can help generate secure passwords that are compliant with password requirements for all sites and saves you from having to remember. For example, LastPass has an automatic generator that gives you the options to insert certain characters:

how blue canvas thinks about security

Sharing Credentials Between Teams

Though sharing credentials is not a best practice that we endorse we do see many teams doing it. Worse, they are sharing credentials over email and chat. This is dangerous because your password can be easily intercepted this way. With a password manager you can securely share login information without ever actually sharing your password.

Never store your password in plain text or over chat or email.

Other Password Tips

When creating your Master Password for your password manager use something like the password xkcd recommends: four simple words that you can easily remember. For example: correcthorsebatterystaple. It would take a computer 550 years to guess that phrase at 1,000 guesses per second.

Never use your Salesforce credentials to login into 3rd party services. Only use OAuth like we do at Blue Canvas.

If you’re using a password manager, you don’t need to have your browser remember passwords. It’s an unnecessary redundancy.

Use Salesforce Authenticator!

Security is something we take very seriously at Blue Canvas. To learn more check out our security documentation.