Zendesk provides the following levels of password security: low, medium, and high. You can specify your own custom password security level. Each level has stricter requirements for choosing passwords. You can set one password security level for end users, and a different one for team members (admins and agents). Only administrators can change the password security level.
Topics covered in this article:
- About password security levels
- Changing the password security level
- Allowing administrators to set passwords
- Setting session expiration
- Password security best practices
About password security levels
Zendesk provides the following password security levels:
Low - Each password must have at least 5 characters. This is the default security level.
Medium - Each password must have at least 6 characters and meet the following requirements:
- Includes numbers and mixed case letters
- Includes a special character that is not a letter or number
High - Each password must have at least 6 characters and meet the following requirements:
- Includes numbers and mixed case letters
- Includes a special character that is not a letter or number
- The password expires after 90 days and the new password must be different from the 5 previous passwords
Custom - Select Custom, then click Edit to set custom password requirements. Each password must meet the requirements that you set. This security level is available only for agents and admins. For example:
Most of the options are self-explanatory except for the following:
- Number of previous passwords to reject - New passwords must be different from the number of previous passwords you set.
- Failed attempts until lockout - If an end user or agent fails to enter their password correctly the number of times you specify in a row, they are locked out for a certain period of time. They cannot sign in again until the lockout expires.
- Maximum number of consecutive letters or numbers - The maximum number of sequential numbers and letters allowed in the password. For example, if you set the maximum to 4, then a password like admin12345, which has five sequential numbers, will be rejected. If you set the option to 5, then the password is accepted
- Password can resemble email - Controls whether new passwords can include parts of an email address. For example, when this setting is No, a user with a david@mycompany.com email address cannot include the word david as part of their password.
Zendesk enforces a 128 character limit for passwords. The limit on password length is a reliability measure to prevent a form of DoS attack called “long password denial of service.” To learn more about Zendesk security practices, visit our Security website.
Changing the password security level
You must be an administrator to change the password security level. If you increase the security level, all passwords, regardless of security level, are set to expire in 5 days. All end users and team members must change their passwords to comply with the new security level.
Increasing the password security level can cause some passwords to expire instantly. If a password is older than 90 days and the security level is increased to high (or a custom level with an expiration restriction), that password is considered expired.
Zendesk sends email notifications to administrators and agents three days before a password expires, and then on the day it expires.
To change the password security level
- Open the password security settings for team members
or end users.
- In Admin Center, click
Account in the sidebar, then select Security > Team member authentication.
-
In Admin Center, click
Account in the sidebar, then select Security > End user authentication.
The End users command is not available until you activate the Help Center. See Getting started with Guide.
- In Admin Center, click
- Select a Password level, then click Save.
You can set one password security level for end users and a different one for team members.
Allowing administrators to set passwords
Account owners can allow administrators to set passwords for users. However, Zendesk recommends that you leave this option disabled for security reasons. It prevents hackers from using social engineering techniques to deceive well-meaning people into providing confidential information. For example, one technique used by hackers is to repeatedly call or spoof-email a support center posing as a frustrated customer who forgot their password and is unable to recover it, and persisting until an agent has no choice but to change the password manually for the irate customer. Once the password is changed, the hacker has access to confidential information.
You can also set user passwords through the API. See Set a User's Password in the developer docs.
To let administrators set passwords for users
- In Admin Center, click
Account in the sidebar, then select Security > Advanced.
- On the Passwords tab, select Enable admins to set
passwords.
You must be the account owner to see this setting.
- Click Save.
When the administrator sets passwords for users, users receive an email letting them know the administrator has set their password.
Setting session expiration
You can set Zendesk to automatically sign out agents and other team members after a period of inactivity. Agents remain signed in as long as they actively use the product. Active use includes typing and clicking links.
- In Admin Center, click
Account in the sidebar, then select Security > Advanced.
- On the Authentication tab, set the Session expiration time.
- Click Save.
Password security best practices
Consider posting an article on your Zendesk Support web portal to remind your agents and users about password best practices. Common recommendations include:
- Never use the same password for more than one account
- Never share your password
- Never write down your password
- Never communicate your password by telephone, email, or instant messaging
- Log off before leaving a computer unattended
- Change your password whenever you suspect it's been compromised
For more information on securing your private information, see General security best practices.
12 Comments
Charles Nadeau For End Users, we're unable to find the CUSTOM setting for password security level! 6-chars as password minimum length is not acceptable for a "High" password profile, we need at least 8 chars... How to fix that?
Thank you for messaging us. The password length for "high" security is at minimum 6 only but they can extend it up to eight characters. Unfortunately, this cannot be altered that the minimum would be eight for end-users.
Hi Josh, thanks for your reply and for fixing this document!
But the problem remains: We need Custom setting for User-Agents as you originally documented here (but now corrected...). We chose Zendesk for this reason as well. Minimum length for a "High" security profile should be AT LEAST 8, not 6!!
Looking at literature, I see that the time it takes for a hacker to crack a 6-characters password is:
Instantly (number only)
Instantly (lower case letters)
Instantly (upper and lowercase letters)
1 second (Numers, Upper and Lower case letters)
5 seconds (Numers, Upper and Lower case letters, symbols)
Question: In the meantime, is it possible to have at least 2FA enabled for End Users? @...
Hi @...,
I would like to come back to the topic from Marco of no being able to set customer password requirements. Why does this feature not exist/can this be enabled? 6 characters is not high secured password.
Also on the subject of 2FA, this would be important to have for end-users too.
How long are passwords locked out after the set number of attempts?
Hello Matt,
The lockout duration for the password should not last longer than 5 minutes.
What happens when I increase the password complexity? I assume that when new accounts are created, they are simply held to the new requirements.
However for existing users - will they receive an email notification requesting that they update their password? Will they prompted to update whenever they next log in to Zendesk?
I don't want my users receiving notifications that could quite obviously look like phishing without first giving them a heads up that this kind of notification or website behavior is expected. I'm planning to communicate the change in advance and want to tell them what to expect.
Take a look at Changing the password security level in the article above -- I think this will address your question. I believe the notifications (email and when they log in) will occur after the 5-day expiration period elapses, not immediately. Hope that helps!
Hi,
Is there a way to set different password policies for different account?
For example, service account used for monitoring?
There is no native functionality that caters to different password policies directly. Users will share access or password security level. I recommend checking this consolidated guide about Zendesk sign-in settings. You mentioned the 'service account', assuming you have one user in your organization who will work as a service account and will access your zendesk for security purposes. You may look into the API token - API tokens can be used by anyone on the account and aren't associated with specific users. More details can be checked here Generating a new API token. Thank you!
Some of our agents use SSO while others do not. The SSO option on our account is turned on.
Does this mean the resetting password email does not work?
Thanks
It depends. If you have Zendesk authentication and SSO enabled, your agents have the option to log in via SSO or their user name and password. That said, if you are pertaining to their Zendesk email and password, resetting the password will allow them to log in. You may also check by going to Admin Center>Team Member authentication
I hope that helps!
Please sign in to leave a comment.