Folks,

I just wanted to add a few quick comments on this topic, as I just attempted to use Encrypted Fields myself.  Unfortunately my experience was not great, for the following reasons:


1.  Input is not masked when populating an Encrypted Field.

Admittedly, this is a relativaly minor point and I do understand that the intent of an Encrypted Field was not to replicate the usual password-like functionality one might expect, e.g. confirming the password since you can't see what you're typing.  However, this does seem a bit out of place.


2.  The number of mask characters is equal to the number of characters in the input field.

Ok, this may be another minor point but it's worth mentioning regardless.  Typically when one is storing sensitive data and representing it through some form of "masking", the number of mask characters is intentionally adjusted so as to not give away any information about the underlying field (for example, its length).


3.  The MASKED data is used internally unless the user has "View Encrypted Data" enabled in their profile.

This is a big one.  In most of the password-related situations I've considered, you generally want to allow users to securely enter their credentials (mask during entry) and then use them behind the scenes without exposing them in an end-user interface.  This simply isn't possible using an Encrypted Field as it is currently implemented.  Adding "View Encrypted Data" to a user's profile is not a solution; while doing so does allow Apex code to access the field's actual value (rather than a masked value), this also makes the field viewable to anyone with access to the relevant record.



I'm very surprised Salesforce does not have a mechanism for handling these situations.  I would have thought a "Password" type for custom fields would be a common request.  Ideally, this would provide mask-on-input as well as validation while making the plaintext value accessible through Apex, Javascript, etc.

Have I missed something fundamental here?

I also thought about trying to implement some kind of privileged code execution wherein the Apex code is run as a user with "View Encrypted Data" privileges while the end users do not have this privilege.  That would seem to solve the problem.  Unfortunately, I can't find a way to do this.  In addition, adding the "View Encrypted Data" privilege would likely require creation of a new (custom) profile.  Since these can't be included in application packages, this would represent yet one more manual step required of the users installing a custom application (in addition to, for example, Layout changes and Remote Site Settings for allowing use of a remote web services API).

Anyway, I hope this is useful to someone.  If anyone has suggestions I would be very interested in hearing them.

Thanks,

Damon