Zendesk provides the following levels of password security: low, medium, and high. You can specify your own custom password security level. Each level has stricter requirements for choosing passwords. You can set one password security level for end users, and a different one for admins and agents. Only administrators can change the password security level.
Topics covered in this article:
- About password security levels
- Changing the password security level
- Allowing administrators to set passwords
- Setting session expiration
- Password security best practices
About password security levels
Zendesk provides the following password security levels:
Low - Each password must have at least 5 characters. This is the default security level.
Medium - Each password must have at least 6 characters and meet the following requirements:
- Includes numbers and mixed case letters
- Includes a special character that is not a letter or number
High - Each password must have at least 6 characters and meet the following requirements:
- Includes numbers and mixed case letters
- Includes a special character that is not a letter or number
- The password expires after 90 days and the new password must be different from the 5 previous passwords
Custom - Select Custom, then click Edit to set custom password requirements. Each password must meet the requirements that you set. This security level is available only for agents and admins. For example:
Most of the options are self-explanatory except for the following:
- Number of previous passwords to reject - New passwords must be different from the number of previous passwords you set.
- Failed attempts until lockout - If an end user or agent fails to enter their password correctly the number of times you specify in a row, they are locked out for a certain period of time. They cannot sign in again until the lockout expires.
- Maximum number of consecutive letters or numbers - The maximum number of sequential numbers and letters allowed in the password. For example, if you set the maximum to 4, then a password like admin12345, which has five sequential numbers, will be rejected. If you set the option to 5, then the password is accepted
- Password can resemble email - Controls whether new passwords can include parts of an email address. For example, when this setting is No, a user with a david@mycompany.com email address cannot include the word david as part of their password.
Zendesk enforces a 128 character limit for passwords. The limit on password length is a reliability measure to prevent a form of DoS attack called “long password denial of service.” To learn more about Zendesk security practices, visit our Security website.
Changing the password security level
You must be an administrator to change the password security level. If you increase the security level, all passwords, regardless of security level, are set to expire in 5 days. All end users and staff members must change their passwords to comply with the new security level. For end users, the next time they log in, Zendesk alerts them to change their passwords. Zendesk also sends email notifications to administrators and agents three days before a password expires, and then on the day it expires.
To change the password security level
- In any product, click the Zendesk Products icon (
) in the top bar, then select Admin Center. - Click the Security icon (
) in the left sidebar. - Click the Staff members or End users tab. You can set one password security level for end users, and a different one for staff members (admins and agents).
The End users tab is not available until you activate the Help Center. See Getting started with Guide.
- Select one of the security options, then click Save.
Allowing administrators to set passwords
Account owners can allow administrators to set passwords for users. However, Zendesk recommends that you leave this option disabled for security reasons. It prevents hackers from using social engineering techniques to deceive well-meaning people into providing confidential information. For example, one technique used by hackers is to repeatedly call or spoof-email a support center posing as a frustrated customer who forgot his or her password and who is unable to recover it, and persisting until an agent has no choice but to change the password manually for the irate customer. Once the password is changed, the hacker has access to confidential information.
You can also set user passwords through the API. See Set a user's password.
To let administrators set passwords for users
- In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
- Click the Security icon () in the left sidebar, then click Advanced.
- In the Passwords section, select Enable admins to set passwords.
You must be the account owner to see this setting.
- Click Save.
When the administrator sets passwords for users, users receive an email letting them know the administrator has set their password.
Setting session expiration
You can set Zendesk to automatically sign out agents and other team members after a period of inactivity. Agents remain signed in as long as they actively use the product. Active use includes typing and clicking links.
- In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
- Click the Security icon () in the left sidebar, then click Advanced.
- In the Authentication section, set the Session expiration time.
- Click Save.
Password security best practices
Consider posting an article on your Zendesk Support web portal to remind your agents and users about password best practices. Common recommendations include:
- Never use the same password for more than one account
- Never share your password
- Never write down your password
- Never communicate your password by telephone, email, or instant messaging
- Log off before leaving a computer unattended
- Change your password whenever you suspect it's been compromised
For a good article on the subject, see Choosing Good Passwords - A User Guide.
For more information on securing your private information, see Security best practices.
19 Comments
What are the timeouts when using Single Sign On with ADFS?
@Todd - When using SSO, sessions will expire after 8 hours.
Perfect. Thanks Anna.
After the 90 day expiration, can the end-user re-activate their own account or does an agent need to be involved? I want to increase security from low to high, but do not want to increase our ticket volume. Thanks.
@Chris - When a user's password expires, they will be notified when they next try to log in, then they will be forced to set a new one. No agent involvement needed!
Perfect. Thanks!!
Will Light Agent's also receive the same expiration notifications?
Hi Bradley!
This notification will go out to any user who has an expired password.
Hello
The wording in the 'your password is about to expire' email to agents appears to be out of date so how do we update this please?
Hi David! Welcome to the Community!
I'm not sure I understand your question. Can you please be more specific about what you're referring to?
Hello Jessie
Many thanks indeed for responding and sincere apologies that my previous wasn't clear.
One of our agents received an automatically generated email from Zendesk which informed them that their login password would expire that day. The exact wording was:
"Hello xxxx,
Your current password is set to expire today. Please sign in to our support site as soon as possible to change your password. Once you've signed in, click the drop-down menu next to your name in the upper right and select Change password.https://organisation-name.zendesk.com
Thank you!"
However these instructions need updating to read something like "Once you've signed in, click the avatar icon in the upper right corner and select 'view profile'. In your user profile, open the 'Security Settings' tab and click 'Change' in the 'Password' section and follow the on-screen instructions."
Alas I'm unable to locate the functionality to update the email text myself and I'm hoping that you will be able to assist me please?
Hey David! Thank you so much for clarifying! I see what you mean now.
The text for the password reset email isn't customizable...it's a system message. I'll be sure to pass this on to the right team to see if they can update that. Thanks for bringing it to our attention!
hello,
would be great if the custom option for Zendesk password security level could be available for the end-user tab. Is this in your roadmap ?
Hi Gaetan,
It is not currently in our roadmap. If you'd like to share your idea in the Support Product Feedback topic other users are more likely to see it there, comment as to whether they have a similar need, and up-vote your idea. Posts that receive a high level of engagement there are passed on to product managers for consideration.
Thanks for sharing your ideas!
Hi,
We have our password level set to high, however I have 1 useraccount that is used to access the API from several scripts.
Although it is perfect that each user has to change his/hers password every 90 days, this is more problematic for this 'API-User'.
Is there a way to mark a specific useraccount to 'password never expires'?
Many thanks,
Micha
Hey Micha,
These changes would be for all agents across the account, unfortunately. Have you looked into generating an API token and using that newly created token instead?
Let me know!
Hi Brett,
Thanks for the quick answer,
I was already using an API key but still received several emails addressed to this API-User telling me the password would expire, so this confused me.
Is it correct to say that, even if a password of an account has expired and/or the account has been locked, the API key for that account/user will always stay active and can be used without having to update the password every 90 days?
Thanks,
Micha
Hey Micha,
The API token will still be valid, the user would just need to reset their password to be able to log into the agent interface. If you never log in with that user, that shouldn't cause issues with your API calls as long as the token is being used.
Let me know if the above doesn't make sense!
Today I found that my low security level user account was getting a "password has expired" dialog on login; but the dialog gave a minimum length of 5 characters - indicating that the account is indeed a low level account and does not have an expiry policy. Weirdly, this happened when I logged with both the correct password or when I just mashed the keyboard. And then I entered the current password as both the current password and the new one. I can only assume that somehow the password expired bit got flipped on disk...
Talking of password expiry, this is worth a read:
https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry
Please sign in to leave a comment.