1. Welcome to the feedback forum. Here's some tips for giving your suggestions the best shot:
    • Search before posting: See if someone else has already posted your suggestion. If you add your support to an existing, you're more likely to bubble up the request.
    • Keep one suggestion to one thread: Try not to club lots of different suggestions together in one thread. Otherwise, people will get confused about what they're voting for and we might miss your feedback.
  2. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  3. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

Completed Password policies for end-users

Discussion in 'Kayako product feedback and suggestions' started by teejayuu, Feb 10, 2011.

  1. teejayuu

    teejayuu Established Member

    Is it possible to include a user password policy that has a minimum number of characters and enforce upper/lower case & numbers/symbols.? No need for expiry
  2. simond

    simond Established Member

    See admin->Settings->Security. Don't think it caters for mixed case checking.
  3. teejayuu

    teejayuu Established Member

    Thanks Simon - that's a staff password policy, does it also apply to users?. Our helpdesk, although Internet facing, is only used by our company and associates. I'd like to force minimum length and other criteria to users passwords.
  4. indesigns

    indesigns Established Member

    I love that idea. About user password policy. Maybe even add to this is after a time period which is selected in admin settings security, the user is required to change it.
  5. teejayuu

    teejayuu Established Member

    Never thought about that, although if it's a public site I wouldn't turn it on. Mine is Internal (although Internet facing) and some users have 123, abc, password as passwords
  6. robertv

    robertv Member

    Nice idea ![​IMG]
  7. billingi

    billingi Member

    It would also be nice if you could force a user (or even a staff member) to change their password the first time they logged in.
  8. Drew Keller

    Drew Keller Just one person in a world of millions.

  9. Eric Fleet

    Eric Fleet New Member

    Agreed! Having my admins knowing a staff member's password isa violation of IT policy. This should be a standard feature in Kayako.
  10. IanW

    IanW New Member

    I also need to implement this functionality...specifically to enforce the same password policy option types as a staff acount.
  11. Gui4life

    Gui4life Member


    Right now all Kayako users have zero basic password policy enforcement. At the very least give us the ability to set our OWN policy.

    There are several major issues.
    1. Kayako users have ZERO password strength enforcement. Right now every Kayako user can have any password they want. Including single character passwords!! Such as "a" or "z". With a password of 1 character it wouldn't be hard break into their account. They can even have a password of "password". We should be able to set a minimum password strength (characters, required numbers, special, and alphabetical). Much like the staff password strength enforcement. Which leads me to my next point.
    2. Kayako users do not have any incorrect password lockout thresholds. Anyone can make a bot to guess an end users password over and over until they brute force into their account. The system will NOT lock the users account. The system does not even log bad logins for users!
    This is bad bad bad! :eek: We have confidential information in our ticketing system, and we should be able to trust the most BASIC form of security. Good passwords and password lockout policies. We must be able to force our users to use complex passwords, and we must force good security practices on their accounts. This shouldn't be hard to adapt to the end users as the staff users already have this functionality.
    Doing a search it looks like this "feature" has been vastly ignored.
    Jamie Edwards likes this.
  12. Jamie Edwards

    Jamie Edwards Staff Member

    Hi Gui4life,

    It hasn't been ignored at all - I'm sure you've seen the number of great ideas and feature requests which get posted :) It is just one of many we consider each month.

    In one of the next major updates to Kayako we will extend password policies to all kinds of user accounts in Kayako, along with generally more secure password storage and generation. It is being worked on!
  13. Gui4life

    Gui4life Member

    Do you have a SWIFT tracker for this issue?
  14. Evert Jor

    Evert Jor New Member

    Gui4life: This password policy is absolutely horrible!!!
  15. Gui4life

    Gui4life Member

    Complete lack of a password policy is more like it! That is still being ignored and still no SWTIFT bug tracker.

    I should hydra and brute force the CEO of Kayako's end-user portal login to prove a point so they fix this.
  16. Jamie Edwards

    Jamie Edwards Staff Member

    Happy to report that we've added this to the new Kayako for both agents and customers:

    Screen Shot 2016-07-11 at 11.20.04.png

    Find out more about the security features of the new Kayako here: https://www.kayako.com/security
  17. Mimue

    Mimue Established Member

    Hi Jamie,

    what about the K4 download customers?

    So many functions were promised .. so many customers were on hold and hoped for the latest update...
    Most of the things that are marked as completed now are NOT available for these customers ... and we have been waiting for so long !

    How can you set this in the classic forum to completed? You wrote that there will be service support and further work on the K4?

    I have misunderstood, obviously.

    Best regards,
  18. bear

    bear Kayako Guru

    But not for download customers. 2 years later, added, to the SAAS only.
    Jamie, you have to see how this looks to the download customers you're leaving behind with this move. We asked, begged, pleaded and were told over and again we'd be getting things like this in the next major "update" (not totally new and SAAS version years later), only to see a rash of these seemingly ignored requests suddenly added into v5.
    Really inappropriate to rub this into our faces just how badly we've been screwed over in this. Damn.
    cobaltje and Mimue like this.

Share This Page