A password security level refers to the strength or complexity of a password. Zendesk provides the following levels of password security: Recommended, High, Medium, and Low. You can set one password security level for end users and a different one for team members.
Zendesk strongly suggests setting the Recommended password security level for both team members and end users. This security level is configured with strict password requirements, checks against known breached passwords, and is based on security best practices and industry standards.
You can also create a custom password security level for team members (admins and agents) if your requirements differ for these users.
This article covers the following topics:
- About password security levels
- Changing the password security level
- Setting a custom password security level for team members
- Allowing administrators to set passwords
- Setting session expiration
- Password security best practices
About password security levels
Many organizations require complex passwords as part of their security policies. Certain regulations, such as the General Data Protection Regulation (GDPR), require organizations to take steps to ensure the security of personal data, which includes using complex passwords.
Zendesk strongly suggests setting the Recommended password security level for both team members and end users to safeguard your account.
- Must be at least 12 characters
- Five attempts allowed before a temporary 10-minute lockout
- Must include uppercase and lowercase letters (a-z and A-Z)
- Must include a number (0-9)
- Must include a special character (!, @, #, %, etc.)
- Must not include the word "Zendesk"
- Must not resemble an email address
- Must pass a check against a list of known breached passwords
The Low, Medium, and High password security levels have lower security requirements. Zendesk recommends changing the security level to Recommended if you are using any of these other levels.
You can review the password requirements for the currently selected security level on the team member or end user authentication page.
The Custom security level is available only for team members and can be used if the Recommended password security level doesn't meet your requirements. See Setting a custom password security level for team members.
Changing the password security level
You must be an administrator to change the password security level. When you increase the security level (for example, Medium to Recommended), all passwords, regardless of security level, are set to expire in 5 days. All end users and team members must change their passwords to comply with the new security level.
Increasing the password security level can cause some passwords to expire instantly. If a password is older than 90 days and the security level is increased to a level with an expiration restriction, that password is considered expired.
Zendesk sends email notifications to administrators and agents three days before a password expires, and then on the day it expires.
If you change the security level from Low, Medium, or High to either Recommended or Custom, you can't revert back. You will receive the following message after you click Save.
You can change between the Low, Medium, and High levels and revert back if needed.
To change the password security level
- Open the password security settings for team members
or end users.
- In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
-
In Admin Center, click
Account in the sidebar, then select Security > End user
authentication.
The End users command is not available until you activate the help center. See Getting started with Guide.
- Select a Password level, then click Save.
- If the Low, Medium, or High password security level was previously set and you are changing to Custom or Recommended, you'll receive a message that the previous levels will no longer be available. Click Save to confirm.
Setting a custom password security level for team members
If the Recommended password security level doesn't meet your company's specific requirements for team members, you can create a custom password security level.
Most of the custom options are self-explanatory except for the following:
- Number of previous passwords to reject - New passwords must be different from the number of previous passwords you set.
- Failed attempts until lockout - If an end user or agent fails to enter their password correctly the number of times you specify in a row, they are locked out for a certain period of time. They cannot sign in again until the lockout expires.
- Max number of consecutive letters or numbers - The maximum number of sequential numbers and letters allowed in the password. For example, if you set the maximum to 4, then a password like admin12345, which has five sequential numbers, will be rejected. If you set the option to 5, then the password is accepted
- Password can resemble email - Controls whether new passwords can include parts of an email address. For example, when this setting is No, a user with a david@mycompany.com email address cannot include the word david as part of their password.
- In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
- Select Custom in the Password level drop-down.
- Click the Edit link to set password requirements.
- Select your custom password requirements.
- Click Set.
- Click Save.
- If the Low, Medium, or High password security level was previously set for team members, you'll receive a message that these levels will no longer be available. Click Save to confirm.
Allowing administrators to set passwords
Account owners can allow administrators to set passwords for users. However, Zendesk recommends that you leave this option disabled for security reasons. It prevents hackers from using social engineering techniques to deceive well-meaning people into providing confidential information.
For example, one technique used by hackers is to repeatedly call or spoof-email a support center posing as a frustrated customer who forgot their password and is unable to recover it, and persisting until an agent has no choice but to change the password manually for the irate customer. Once the password is changed, the hacker has access to confidential information.
You can also set user passwords through the API. See Set a User's Password in the developer docs.
To let administrators set passwords for users
- In Admin Center, click Account in the sidebar, then select Security > Advanced.
- On the Passwords tab, select Enable admins to set
passwords.
You must be the account owner to see this setting.
- Click Save.
When the administrator sets passwords for users, users receive an email letting them know the administrator has set their password.
Setting session expiration
You can set Zendesk to automatically sign out agents and other team members after a period of inactivity. Agents remain signed in as long as they actively use the product. Active use includes typing and clicking links.
- In Admin Center, click Account in the sidebar, then select Security > Advanced.
- Click the Authentication tab.
- Set the Session expiration time for team members and end users.
- Click Save.
Password security best practices
Consider posting an article on your Zendesk Support web portal to remind your agents and users about password best practices. Common recommendations include:
- Never use the same password for more than one account.
- Never share your password.
- Never write down your password.
- Never communicate your password by telephone, email, or instant messaging.
- Log off before leaving a computer unattended.
- Change your password whenever you suspect it's been compromised.
For more information on securing your private information, see General security best practices.
16 comments
Marco9000
Charles Nadeau For End Users, we're unable to find the CUSTOM setting for password security level! 6-chars as password minimum length is not acceptable for a "High" password profile, we need at least 8 chars... How to fix that?
0
Josh
Thank you for messaging us. The password length for "high" security is at minimum 6 only but they can extend it up to eight characters. Unfortunately, this cannot be altered that the minimum would be eight for end-users.
0
Marco9000
Hi Josh, thanks for your reply and for fixing this document!
But the problem remains: We need Custom setting for User-Agents as you originally documented here (but now corrected...). We chose Zendesk for this reason as well. Minimum length for a "High" security profile should be AT LEAST 8, not 6!!
Looking at literature, I see that the time it takes for a hacker to crack a 6-characters password is:
Instantly (number only)
Instantly (lower case letters)
Instantly (upper and lowercase letters)
1 second (Numers, Upper and Lower case letters)
5 seconds (Numers, Upper and Lower case letters, symbols)
Question: In the meantime, is it possible to have at least 2FA enabled for End Users? @...
0
Julia
Hi @...,
I would like to come back to the topic from Marco of no being able to set customer password requirements. Why does this feature not exist/can this be enabled? 6 characters is not high secured password.
Also on the subject of 2FA, this would be important to have for end-users too.
0
Matt Newnham
How long are passwords locked out after the set number of attempts?
0
Aubree
Hello Matt,
The lockout duration for the password should not last longer than 5 minutes.
0
mfg
What happens when I increase the password complexity? I assume that when new accounts are created, they are simply held to the new requirements.
However for existing users - will they receive an email notification requesting that they update their password? Will they prompted to update whenever they next log in to Zendesk?
I don't want my users receiving notifications that could quite obviously look like phishing without first giving them a heads up that this kind of notification or website behavior is expected. I'm planning to communicate the change in advance and want to tell them what to expect.
0
Dave Dyson
Take a look at Changing the password security level in the article above -- I think this will address your question. I believe the notifications (email and when they log in) will occur after the 5-day expiration period elapses, not immediately. Hope that helps!
0
Chin Sin
Hi,
Is there a way to set different password policies for different account?
For example, service account used for monitoring?
0
Jupete Manitas
There is no native functionality that caters to different password policies directly. Users will share access or password security level. I recommend checking this consolidated guide about Zendesk sign-in settings. You mentioned the 'service account', assuming you have one user in your organization who will work as a service account and will access your zendesk for security purposes. You may look into the API token - API tokens can be used by anyone on the account and aren't associated with specific users. More details can be checked here Generating a new API token. Thank you!
0
Pete
Some of our agents use SSO while others do not. The SSO option on our account is turned on.
Does this mean the resetting password email does not work?
Thanks
0
Cheeny Aban
It depends. If you have Zendesk authentication and SSO enabled, your agents have the option to log in via SSO or their user name and password. That said, if you are pertaining to their Zendesk email and password, resetting the password will allow them to log in. You may also check by going to Admin Center>Team Member authentication
I hope that helps!
0
Donna Adamson
When will Custom Password Security Levels be available for End Users (Customers)?
Currently this security level is available only for agents and admins.
1
Jacob Hill
We need to be able to create custom password settings for end users. A 6-character minimum is not secure and is extremely outdated. Additionally, it does not comply with our security program.
0
Lauren Mulkern
Hi, can you please add to this article what the security password policies are for Low, Medium, and High? Currently this article only displays the policy definition for “Recommended”.
Thanks!
0
Kristie Sweeney
Thanks for your suggestion Lauren Mulkern , I will run this past the team! We encourage customers to switch to the Recommended policy because it is more secure, and therefore, we decided not to include details about the older, less secure policies. However, you can see the details of the older policies when they are selected in the Team member authentication and End user authentication pages in Admin Center. Note that if you change the security level from Low, Medium, or High to either Recommended or Custom, you can't revert back.
0