Setting the password security level

Many organizations require complex passwords as part of their security policies. Certain regulations, such as the General Data Protection Regulation (GDPR), require organizations to take steps to ensure the security of personal data, which includes using complex passwords.

Zendesk strongly suggests setting the Recommended password security level for both team members and end users to safeguard your account.

The Low, Medium, and High password security levels have lower security requirements. Zendesk recommends changing the security level to Recommended if you are using any of these other levels.

You can review the password requirements for the currently selected security level on the team member or end user authentication page.

The Custom security level is available only for team members and can be used if the Recommended password security level doesn't meet your requirements. See Setting a custom password security level for team members.

You must be an administrator to change the password security level. When you increase the security level (for example, Medium to Recommended), all passwords, regardless of security level, are set to expire in 5 days. All end users and team members must change their passwords to comply with the new security level.

Increasing the password security level can cause some passwords to expire instantly. If a password is older than 90 days and the security level is increased to a level with an expiration restriction, that password is considered expired.

Zendesk sends email notifications to administrators and agents three days before a password expires, and then on the day it expires.

If you change the security level from Low, Medium, or High to either Recommended or Custom, you can't revert back. You will receive the following message after you click Save.

You can change between the Low, Medium, and High levels and revert back if needed.

To change the password security level

1. Open the password security settings for team members or end users.
   • In Admin Center, click Account in the sidebar, then select Security > Team member authentication.
   • In Admin Center, click Account in the sidebar, then select Security > End user authentication.

     The End users command is not available until you activate the help center. See Getting started with Guide.

2. Select a Password level, then click Save.
3. If the Low, Medium, or High password security level was previously set and you are changing to Custom or Recommended, you'll receive a message that the previous levels will no longer be available. Click Save to confirm.

If the Recommended password security level doesn't meet your company's specific requirements for team members, you can create a custom password security level.

Most of the custom options are self-explanatory except for the following:

• Number of previous passwords to reject - New passwords must be different from the number of previous passwords you set.
• Failed attempts until lockout - If an end user or agent fails to enter their password correctly the number of times you specify in a row, they are locked out for a certain period of time. They cannot sign in again until the lockout expires.
• Max number of consecutive letters or numbers - The maximum number of sequential numbers and letters allowed in the password. For example, if you set the maximum to 4, then a password like admin12345, which has five sequential numbers, will be rejected. If you set the option to 5, then the password is accepted
• Password can resemble email - Controls whether new passwords can include parts of an email address. For example, when this setting is No, a user with a david@mycompany.com email address cannot include the word david as part of their password.

Account owners can allow administrators to set passwords for users. However, Zendesk recommends that you leave this option disabled for security reasons. It prevents hackers from using social engineering techniques to deceive well-meaning people into providing confidential information.

For example, one technique used by hackers is to repeatedly call or spoof-email a support center posing as a frustrated customer who forgot their password and is unable to recover it, and persisting until an agent has no choice but to change the password manually for the irate customer. Once the password is changed, the hacker has access to confidential information.

You can also set user passwords through the API. See Set a User's Password in the developer docs.

To let administrators set passwords for users

1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
2. On the Passwords tab, select Enable admins to set passwords.

   You must be the account owner to see this setting.

3. Click Save.

   When the administrator sets passwords for users, users receive an email letting them know the administrator has set their password.

You can set Zendesk to automatically sign out agents and other team members after a period of inactivity. Agents remain signed in as long as they actively use the product. Active use includes typing and clicking links.

Consider posting an article on your Zendesk Support web portal to remind your agents and users about password best practices. Common recommendations include:

• Never use the same password for more than one account.
• Never share your password.
• Never write down your password.
• Never communicate your password by telephone, email, or instant messaging.
• Log off before leaving a computer unattended.
• Change your password whenever you suspect it's been compromised.

For more information on securing your private information, see General security best practices.