HKU Computer Centre HKU Computer Centre
Back to home page

Help | FAQ | News | ICT for Teaching & Learning | Advisory Groups | IT Strategies | Annual Reports
Links of Information
About Us
Network Connections
Services
Facilities
Information Security
Documentation
Help
Links to Services
HKU Portal
Web Mail
E-Courses/Blackboard
Account Utilities
PC Lab. Printing
Forms
<empty>
   SEARCH@CC
  
<empty>
Contact Us
   
 

Password Policy

    This policy is established in order to enhance information security for the The University of Hong Kong. These requirements are necessary to help in ensuring personal security and protecting data integrity, academic and research interactions throughout the University.

The Password Policy has been refined in December 2011 and details can be found in the following sections.
  1. Regular Password Change (every 180 days)
  2. Email Notification on Password Change
  3. Strengthen the Password
  4. Account Locked after Repeated Login Failures
  5. Introduction of "Secret Question" for Identity Verification when Forgetting Password
  6. Password History

1. Regular Password Change (every 180 days)

  • Staff and students will be reminded to change their HKU Portal PIN (PIN) regularly every 180 days.
  • Staff and students are strongly advised to follow the 180 days password change practice.   
  • Staff and students will see a reminder message when they login to HKU Portal 2 weeks before the password expiry (see screen captures).  They will also receive email messages to remind them to change their PIN.
  • Upon receipt of the reminder message, staff and students can choose to change their PIN immediately or do so later.
  • Staff in the administrative/service departments (including Computer Centre, CEDARS, Estates Office, FEO and Registry) who are required to handle personal, sensitive and financial information through the HKU Portal would be enforced to change their PIN every 180 days, based on Audit Committee’s recommendation.  Their departments would be requested to assess if the cases of keeping password unchanged can be agreeable due to the work nature of the staff members concerned. 
  • Heads of the above mentioned administrative/service departments will receive a monthly reference list on their colleagues who have not changed their PIN for over 180 days for reminding them to follow the 180 days password change practice.
  • In case the PIN is not changed or no indication is received to confirm the change of PIN within 2 weeks before the password expiry date, the HKU Portal account will be temporarily disabled after the 180 days password expiry date (see screen capture).   
  • For disabled HKU Portal account due to password ageing,  staff/students can reactivate their accounts by changing the PIN online through an attempt to login HKU Portal
    (see http://www.itservices.hku.hk/faq/reset_portal_pin.htm for the procedure).

2. Email Notification on Password Change

  • A notification email will be sent to the account holder whenever his/her HKU Portal PIN is changed.

3. Strengthen the Password

  • Staff and students are advised to change their initial HKU Portal PIN immediately.
  • When changing the PIN, users must assign a PIN with at least one letter (a-z, A-Z) and one digit (0-9) and must be of eight characters.

4. Account Locked after Repeated Login Failures (effective in November 2010)

  • A HKU Portal account will be automatically locked after eight repeated login failures to the HKU Portal and no more login attempts will be allowed within 30 minutes.
  • A notification email will be sent to the user after the account was locked.

5. Introduction of "Secret Question" for Identity Verification when Forgetting Password (effective in November 2010)

  • A “secret question” approach will be implemented through which users can make use of this mechanism for identify verification when submitting a password change request in case they forget the password. By using this approach, no paper application with identity proof is thus required to be submitted to ITS for a password change.
  • The mechanism will operate as follows:
    - Users can select from five pre-defined secret questions or define their own secret questions.
    - Users then assign the answers to the secret questions.
    - By entering HKU Portal/Enterprise Portal UID, select the correct questions and provide case-insensitive exact-match answers to the secret questions, the system will check the correctness of the information entered.
    - Users will also be asked to type in a few random letters or digits generated in a graphical image that cannot be read by a machine. This prevents automated or electronic processes from accessing the online form.
    - After the information is checked, the user is allowed to reset the password.
    - The new password will be effective in 20 minutes.
  • Users have to opt-in and register to be able to use the “secret question” approach. Otherwise, they can only change their passwords via submitting a paper application form to ITS.

6. Password History (effective in November 2010)

  • Users are encouraged not to reuse their passwords.
  • Users will not be allowed to use an old password that has been used in the last three regular password changes.
Copyright 2011 Computer Centre, The University of Hong Kong
Personal Information Collection Statements | Privacy Policy Statements		 The University of Hong Kong is fully committed to Web Accessibility for persons with a disability.
If you have problem viewing the website, please email to ithelp@hku.hk