English (US)
  1. Zendesk help
  2. Cross Product
  3. Cross-product features
  4. Managing global security and user access

Setting the password security level (Professional and Enterprise)

Charles Nadeau
  • Edited
Fastpath: Admin Center > Security

Zendesk provides the following levels of password security: low, medium, and high. If you're on Professional or Enterprise, you can specify your own custom password security level. Each level has stricter requirements for choosing passwords. You can set one password security level for end users, and a different one for admins and agents. Only administrators can change the password security level.

Topics covered in this article:

Note: You can use a single sign-on (SSO) solution instead of using Zendesk passwords. See SSO (single sign-on) options in Zendesk.

About password security levels

Zendesk provides the following password security levels:

Low - Each password must have at least 5 characters. This is the default security level.

Medium - Each password must have at least 6 characters and meet the following requirements:

  • Includes numbers and mixed case letters
  • Includes a special character that is not a letter or number

High - Each password must have at least 6 characters and meet the following requirements:

  • Includes numbers and mixed case letters
  • Includes a special character that is not a letter or number
  • The password expires after 90 days and the new password must be different from the 5 previous passwords

Custom (Professional and Enterprise only) - Select Custom, then click Edit to set custom password requirements. Each password must meet the requirements that you set. This security level is available only for agents and admins. For example:

Most of the options are self-explanatory except for the following:

  • Previous passwords - New passwords must be different from the number of previous passwords you set.
  • Failed attempts until lockout - If an end user or agent fails to enter their password correctly the number of times you specify in a row, they are locked out and cannot sign in again until they reset their password.
  • Maximum number of consecutive letters or numbers - The maximum number of sequential numbers and letters allowed in the password. For example, if you set the maximum to 4, then a password like admin12345, which has five sequential numbers, will be rejected. If you set the option to 5, then the password is accepted

Changing the password security level

You must be an administrator to change the password security level. If you increase the security level, all passwords set with a lower security level are set to expire in 5 days. End users must change their passwords to comply with the new security level. The next time they log in, Zendesk alerts them to change their passwords. Zendesk also sends email notifications to administrators and agents three days before a password expires, and then on the day it expires.

To change the password security level

  1. In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
  2. Click the Security icon () in the left sidebar.
  3. Click the Staff members or End users tab. You can set one password security level for end users, and a different one for staff members (admins and agents).

    The End users tab is not available until you activate the Help Center. See Getting started with Guide.

  4. Select one of the security options, then click Save.

Allowing administrators to set passwords

Account owners can allow administrators to set passwords for users. However, Zendesk recommends that you leave this option disabled for security reasons. It prevents hackers from using social engineering techniques to deceive well-meaning people into providing confidential information. For example, one technique used by hackers is to repeatedly call or spoof-email a support center posing as a frustrated customer who forgot his or her password and who is unable to recover it, and persisting until an agent has no choice but to change the password manually for the irate customer. Once the password is changed, the hacker has access to confidential information.

Note: Even if the option is disabled, admins can still reset passwords (as distinct from setting passwords). An email is sent to the user's registered email address containing a link that lets the user reset the password. See Resetting user passwords. If single sign-on (SSO) is enabled, admins can't send password-reset links to users.

You can also set user passwords through the API. See Set a user's password.

To let administrators set passwords for users

  1. In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
  2. Click the Security icon () in the left sidebar, then click Advanced.
  3. In the Passwords section, select Enable admins to set passwords.

    You must be the account owner to see this setting.

  4. Click Save.

Setting session expiration

You can set Zendesk to automatically sign out agents and other team members after a period of inactivity. Agents remain signed in as long as they actively use the product. Active use includes typing and clicking links.

To set the session expiration time
  1. In any product, click the Zendesk Products icon () in the top bar, then select Admin Center.
  2. Click the Security icon () in the left sidebar, then click Advanced.
  3. In the Authentication section, set the Session expiration time.
  4. Click Save.

Password security best practices

Consider posting an article on your Zendesk Support web portal to remind your agents and users about password best practices. Common recommendations include:

  • Never use the same password for more than one account
  • Never share your password
  • Never write down your password
  • Never communicate your password by telephone, email, or instant messaging
  • Log off before leaving a computer unattended
  • Change your password whenever you suspect it's been compromised

For a good article on the subject, see Choosing Good Passwords - A User Guide.

For more information on securing your private information, see Security best practices.

Have more questions? Submit a request

14 Comments

Sort by Date Votes
  • Todd Pauley
    Permalink

    What are the timeouts when using Single Sign On with ADFS?

    0
  • Anna Everson
    Permalink

    @Todd - When using SSO, sessions will expire after 8 hours.

    0
  • Todd Pauley
    Permalink

    Perfect. Thanks Anna.

    0
  • Chris Fawley
    Permalink

    After the 90 day expiration, can the end-user re-activate their own account or does an agent need to be involved? I want to increase security from low to high, but do not want to increase our ticket volume. Thanks.

    0
  • Anna Everson
    Permalink

    @Chris - When a user's password expires, they will be notified when they next try to log in, then they will be forced to set a new one. No agent involvement needed!

    0
  • Chris Fawley
    Permalink

    Perfect. Thanks!!

    0
  • Bradley Weismann
    Permalink

    Will Light Agent's also receive the same expiration notifications?

    0
  • Jessie Schutz
    Permalink

    Hi Bradley!

    This notification will go out to any user who has an expired password.

    0
  • David Williams
    Permalink

    Hello

    The wording in the 'your password is about to expire' email to agents appears to be out of date so how do we update this please?

    0
  • Jessie Schutz
    Permalink

    Hi David! Welcome to the Community!

    I'm not sure I understand your question. Can you please be more specific about what you're referring to?

    0
  • David Williams
    Permalink

    Hello Jessie

    Many thanks indeed for responding and sincere apologies that my previous wasn't clear. 

    One of our agents received an automatically generated email from Zendesk which informed them that their login password would expire that day. The exact wording was:

    "Hello xxxx,

    Your current password is set to expire today. Please sign in to our support site as soon as possible to change your password. Once you've signed in, click the drop-down menu next to your name in the upper right and select Change password.https://organisation-name.zendesk.com

    Thank you!"

    However these instructions need updating to read something like "Once you've signed in, click the avatar icon in the upper right corner and select 'view profile'. In your user profile, open the 'Security Settings' tab and click 'Change' in the 'Password' section and follow the on-screen instructions."

    Alas I'm unable to locate the functionality to update the email text myself and I'm hoping that you will be able to assist me please?

     

    0
  • Jessie Schutz
    Permalink

    Hey David! Thank you so much for clarifying! I see what you mean now.

    The text for the password reset email isn't customizable...it's a system message. I'll be sure to pass this on to the right team to see if they can update that. Thanks for bringing it to our attention!

    0
  • Gaëtan Tobie-Echeverria
    Permalink

    hello,

    would be great if the custom option for Zendesk password security level could be available for the end-user tab. Is this in your roadmap ? 

    0
  • Nicole - Community Manager
    Permalink

    Hi Gaetan,

    It is not currently in our roadmap. If you'd like to share your idea in the Support Product Feedback topic other users are more likely to see it there, comment as to whether they have a similar need, and up-vote your idea. Posts that receive a high level of engagement there are passed on to product managers for consideration.

    Thanks for sharing your ideas!

    0

Please sign in to leave a comment.

Related articles

Related articles

Powered by Zendesk