Setting the password security level (Professional and Enterprise) Follow

professional enterprise plans

Zendesk provides the following levels of password security: low, medium, and high. If you're on Professional or Enterprise, you can specify your own custom password security level. Each level has stricter requirements for choosing passwords. You can set one password security level for end-users, and a different one for admins and agents. Only administrators can change the password security level.

About password security levels

Zendesk provides the following password security levels:

Low - Each password must have at least 5 characters. This is the default security level.

Medium - Each password must have at least 6 characters and meet the following requirements:

  • Includes numbers and mixed case letters
  • Includes a special character that is not a letter or number

High - Each password must have at least 6 characters and meet the following requirements:

  • Includes numbers and mixed case letters
  • Includes a special character that is not a letter or number
  • The password expires after 90 days and the new password must be different from the 5 previous passwords

Custom (Professional and Enterprise only) - Each password must meet the requirements that you set. Among the options, you can set the period before the password expires. This security level is available only for agents and admins.

Note: If JWT or SAML authentication is enabled, the passwords won't expire because they're not stored. JWT authentication is available on Team, Professional, and Enterprise.

Changing password security level

You must be an administrator to change the password security level. If you increase the security level, all passwords set with a lower security level are set to expire in 5 days. End-users must change their passwords to comply with the new security level. The next time they log in, Zendesk alerts them to change their passwords. Zendesk also sends email notifications to administrators and agents three days before a password expires, and then on the day it expires.

To change the password security level

  1. Click the Admin icon () in the sidebar, then select Security.
  2. Click the Admins & Agents or End-users tab. You can set one password security level for end-users, and a different one for admins and agents.

    If you started using Zendesk Support on or after August 21, 2013, the End-users tab is not available until you activate the Help Center. See Getting started with the Help Center.

  3. Select one of the security options, then click Save.

Allowing administrators to set passwords

Account owners can allow administrators to set passwords for users. However, Zendesk recommends that you leave this option disabled for security reasons. It prevents hackers from using social engineering techniques to deceive well-meaning people into providing confidential information. For example, one technique used by hackers is to repeatedly call or spoof-email a support center posing as a frustrated customer who forgot his or her password and who is unable to recover it, and persisting until an agent has no choice but to change the password manually for the irate customer. Once the password is changed, the hacker has access to confidential information.

Note: Even if the option is disabled, administrators can still reset passwords (as distinct from setting passwords). An email is sent to the user's registered email address containing a link that lets the user reset the password. For more information, see Resetting user passwords.

If single sign-on (SSO) is enabled, admins can't send password-reset links to users.

You can also set user passwords through the API. See Set a user's password in the Zendesk API guide.

To let administrators set passwords for users

  1. Log in as the account owner and click the Admin icon () in the sidebar, then select Security in the Settings category.
  2. Click the Global tab.
  3. Select the option to enable admins to set passwords, then click Save.

Password security best practices

Consider posting an article in your Help Center to remind your agents and users about password best practices. Common recommendations include:

  • Never use the same password for more than one account
  • Never share your password
  • Never write down your password
  • Never communicate your password by telephone, email, or instant messaging
  • Log off before leaving a computer unattended
  • Change your password whenever you suspect it's been compromised

For a good article on the subject, see Choosing Good Passwords - A User Guide.

For more information on securing your private information, see Security best practices.

Have more questions? Submit a request

Comments

  • 0

    What are the timeouts when using Single Sign On with ADFS?

  • 0

    @Todd - When using SSO, sessions will expire after 8 hours.

  • 0

    Perfect. Thanks Anna.

  • 0

    After the 90 day expiration, can the end-user re-activate their own account or does an agent need to be involved? I want to increase security from low to high, but do not want to increase our ticket volume. Thanks.

  • 0

    @Chris - When a user's password expires, they will be notified when they next try to log in, then they will be forced to set a new one. No agent involvement needed!

  • 0

    Perfect. Thanks!!

Please sign in to leave a comment.

Powered by Zendesk