A password security level refers to the strength or complexity of a password. Zendesk provides the following levels of password security: Recommended, High, Medium, and Low. You can set one password security level for end users and a different one for team members.
Zendesk strongly suggests setting the Recommended password security level for both team members and end users. This security level is configured with strict password requirements, checks against known breached passwords, and is based on security best practices and industry standards.
You can also create a custom password security level for team members (admins and agents) if your requirements differ for these users.
This article covers the following topics:
- About password security levels
- Changing the password security level
- Setting a custom password security level for team members
- Allowing administrators to set passwords
- Setting session expiration
- Password security best practices
About password security levels
Many organizations require complex passwords as part of their security policies. Certain regulations, such as the General Data Protection Regulation (GDPR), require organizations to take steps to ensure the security of personal data, which includes using complex passwords.
Zendesk strongly suggests setting the Recommended password security level for both team members and end users to safeguard your account.
- Must be at least 12 characters
- Must include uppercase and lowercase letters (a-z and A-Z)
- Must include a number (0-9)
- Must include a special character (!, @, #, %, etc.)
- Must not include the word "Zendesk"
- Must not resemble an email address
- Must pass a check against a list of known breached passwords
- Five attempts are allowed before a temporary 10-minute lockout
The Low, Medium, and High password security levels have lower security requirements. Zendesk recommends changing the security level to Recommended if you are using any of these other levels.
You can review the password requirements for the currently selected security level on the team member or end user authentication page.
The Custom security level is available only for team members and can be used if the Recommended password security level doesn't meet your requirements. See Setting a custom password security level for team members.
Changing the password security level
You must be an administrator to change the password security level. When you increase the security level (for example, Medium to Recommended), all passwords, regardless of security level, are set to expire in 5 days. All end users and team members must change their passwords to comply with the new security level.
Increasing the password security level can cause some passwords to expire instantly. If a password is older than 90 days and the security level is increased to a level with an expiration restriction, that password is considered expired.
Zendesk sends email notifications to administrators and agents three days before a password expires, and then on the day it expires.
If you change the security level from Low, Medium, or High to either Recommended or Custom, you can't revert back. You will receive the following message after you click Save.
You can change between the Low, Medium, and High levels and revert back if needed.
To change the password security level
- Open the password security settings for team members
or end users.
- In Admin Center, click
Account in the sidebar, then select Security > Team member authentication.
-
In Admin Center, click
Account in the sidebar, then select Security > End user authentication.
The End users command is not available until you activate the help center. See Getting started with Guide.
- In Admin Center, click
- Select a Password level, then click Save.
- If the Low, Medium, or High password security level was previously set and you are changing to Custom or Recommended, you'll receive a message that the previous levels will no longer be available. Click Save to confirm.
Setting a custom password security level for team members
If the Recommended password security level doesn't meet your company's specific requirements for team members, you can create a custom password security level.
Most of the custom options are self-explanatory except for the following:
- Number of previous passwords to reject - New passwords must be different from the number of previous passwords you set.
- Failed attempts until lockout - If an end user or agent fails to enter their password correctly the number of times you specify in a row, they are locked out for a certain period of time. They cannot sign in again until the lockout expires.
- Max number of consecutive letters or numbers - The maximum number of sequential numbers and letters allowed in the password. For example, if you set the maximum to 4, then a password like admin12345, which has five sequential numbers, will be rejected. If you set the option to 5, then the password is accepted
- Password can resemble email - Controls whether new passwords can include parts of an email address. For example, when this setting is No, a user with a david@mycompany.com email address cannot include the word david as part of their password.
- In Admin Center, click
Account in the sidebar, then select Security > Team member authentication.
- Select Custom in the Password level drop-down.
- Click the Edit link to set password requirements.
- Select your custom password requirements.
- Click Set.
- Click Save.
- If the Low, Medium, or High password security level was previously set for team members, you'll receive a message that these levels will no longer be available. Click Save to confirm.
Allowing administrators to set passwords
Account owners can allow administrators to set passwords for users. However, Zendesk recommends that you leave this option disabled for security reasons. It prevents hackers from using social engineering techniques to deceive well-meaning people into providing confidential information.
For example, one technique used by hackers is to repeatedly call or spoof-email a support center posing as a frustrated customer who forgot their password and is unable to recover it, and persisting until an agent has no choice but to change the password manually for the irate customer. Once the password is changed, the hacker has access to confidential information.
You can also set user passwords through the API. See Set a User's Password in the developer docs.
To let administrators set passwords for users
- In Admin Center, click
Account in the sidebar, then select Security > Advanced.
- On the Passwords tab, select Enable admins to set
passwords.
You must be the account owner to see this setting.
- Click Save.
When the administrator sets passwords for users, users receive an email letting them know the administrator has set their password.
Setting session expiration
You can set Zendesk to automatically sign out agents and other team members after a period of inactivity. Agents remain signed in as long as they actively use the product. Active use includes typing and clicking links.
- In Admin Center, click
Account in the sidebar, then select Security > Advanced.
- Click the Authentication tab.
- Set the Session expiration time for team members and end users.
- Click Save.
Password security best practices
Consider posting an article on your Zendesk Support web portal to remind your agents and users about password best practices. Common recommendations include:
- Never use the same password for more than one account.
- Never share your password.
- Never write down your password.
- Never communicate your password by telephone, email, or instant messaging.
- Log off before leaving a computer unattended.
- Change your password whenever you suspect it's been compromised.
For more information on securing your private information, see General security best practices.
20 comments
Kristie Sweeney
Thanks for your suggestion 4533955654426 , I will run this past the team! We encourage customers to switch to the Recommended policy because it is more secure, and therefore, we decided not to include details about the older, less secure policies. However, you can see the details of the older policies when they are selected in the Team member authentication and End user authentication pages in Admin Center. Note that if you change the security level from Low, Medium, or High to either Recommended or Custom, you can't revert back.
0
Lauren Mulkern
Hi, can you please add to this article what the security password policies are for Low, Medium, and High? Currently this article only displays the policy definition for “Recommended”.
Thanks!
0
Javier DM
Comentarte entonces que esa funcionalidad que describes, aún no existe. Este requerimiento ya ha sido elevado por varios usuarios, y se está concentrando todos los posts en este feature request: Feature Request: Brandable Welcome, Verification and Change Password Mails
Te sugiero participar de la conversación y añadir tus comentarios allí. Cualquier inquietud por favor no dudes en generar un ticket con soporte para resolver tus dudas.
Saludos y que tengas excelente día!
0
Perez Barber Ivan
Hola.
Yo también estoy interesado en saber de dónde procede el mail y cómo editarlo, porque se envía con nuestro dominio y normalmente los avisos de zendesk los recibimos de <support@zendesk.com> o <support@support.zendesk.com> y esto nos hace dudar de si son correos legítimos.
Gracias
0
Jacob Hill
We need to be able to create custom password settings for end users. A 6-character minimum is not secure and is extremely outdated. Additionally, it does not comply with our security program.
0
Carmen Matesanz
Buenos días.
¿Sería posible incluir la posibilidad de editar el mail que se manda de manera automática al acercarse la fecha de vencimiento de la contraseña?
0
Donna Adamson
When will Custom Password Security Levels be available for End Users (Customers)?
Currently this security level is available only for agents and admins.
1
Cheeny Aban
It depends. If you have Zendesk authentication and SSO enabled, your agents have the option to log in via SSO or their user name and password. That said, if you are pertaining to their Zendesk email and password, resetting the password will allow them to log in. You may also check by going to Admin Center>Team Member authentication
I hope that helps!
0
Pete
Some of our agents use SSO while others do not. The SSO option on our account is turned on.
Does this mean the resetting password email does not work?
Thanks
0
Frédéric Chofardet
Bonjour,
Le niveau de sécurité du niveau High ne correspond plus au niveau requis actuellement.
Les préconisations de notre RSSI sont les suivantes:
- le nouveau mdp ne doit pas être identique à un des 10 derniers mdp et non 5
-le mdp doit être sur 8 caractères et non 6
-le nombre de tentatives d'utilisation d'un mdp est de trois et non 10
......
Avez-vous prévu de faire évoluer ce niveau de sécurité prochainement?
Merci
0
Sign in to leave a comment.