This policy is established in order to enhance information security for the The University of Hong Kong. These requirements are necessary to help in ensuring personal security and protecting data integrity, academic and research interactions throughout the University.
The Password Policy has been refined in December 2011 and details can be found in the following sections.
- Regular Password Change (every 180 days)
- Email Notification on Password Change
- Protect and Strengthen the Password
- Account Locked after Repeated Login Failures
- Use “Alternate Email Address” and “Mobile Phone (SMS)” for Identity Verification when PIN is Forgotten
- Use “Secret Question” for Identity Verification when PIN is Forgotten
- Password History
- Staff and students will be reminded to change their HKU Portal PIN (PIN) regularly every 180 days.
- Staff and students are strongly advised to follow the 180 days password change practice.
- Staff and students will see a reminder message when they login to HKU Portal 2 weeks before the password expiry (see screen captures). They will also receive email messages to remind them to change their PIN.
- Upon receipt of the reminder message, staff and students can choose to change their PIN immediately or do so later.
- Staff in the administrative/service departments (including Information Technology Services, CEDARS, Estates Office, FEO, Registry, Development & Alumni Affairs Office and Management Information Unit of the President's Office) who are required to handle personal, sensitive and financial information through the HKU Portal would be enforced to change their PIN every 180 days, based on Audit Committee’s recommendation. Their departments would be requested to assess if the cases of keeping password unchanged can be agreeable due to the work nature of the staff members concerned.
- Heads of the above mentioned administrative/service departments will receive a monthly reference list on their colleagues who have not changed their PIN for over 180 days for reminding them to follow the 180 days password change practice.
- In case the PIN is not changed or no indication is received to confirm the change of PIN within 2 weeks before the password expiry date, the HKU Portal account will be temporarily disabled after the 180 days password expiry date (see screen capture).
For disabled HKU Portal account due to password ageing, staff/students can reactivate their accounts by changing the PIN online through an attempt to login HKU Portal
(see http://www.its.hku.hk/documentation/guide/account/reset-pin-pwd-ageing for the procedure).
- With effect from 6 May 2015, users who have not changed their PIN from 8 to 10-18 characters will be mandatorily required to reset it upon the next 180-day password expiry.
- A notification email will be sent to the account holder whenever his/her HKU Portal PIN is changed.
- Staff and students should not let others use their UID and PIN/passwords.
- Staff and students should keep their PIN/passwords confidential as they will be held responsible for all transactions using their UID and PIN/passwords.
- Staff and students are advised to change their initial HKU Portal PIN immediately.
- When changing the PIN, users must assign a PIN with at least one letter (a-z, A-Z) and one digit (0-9) and must be of 10-18 characters.
- A HKU Portal account will be automatically locked after eight repeated login failures to the HKU Portal and no more login attempts will be allowed within 30 minutes.
- A notification email will be sent to the user after the account was locked.
5. Use “Secret Question” for Identity Verification when PIN is Forgotten (effective from November 2010)
- A “secret question” approach will be implemented through which users can make use of this mechanism for identity verification when submitting a password change request in case they forget the password. By using this approach, no paper application with identity proof is thus required to be submitted to ITS for a password change.
The mechanism will operate as follows:
- Users can select from five pre-defined secret questions or define their own secret questions.
- Users then assign the answers to the secret questions.
- By entering HKU Portal UID and Staff/Student No., select the correct questions and provide case-insensitive exact-match answers to the secret questions, the system will check the correctness of the information entered.
- Users will also be asked to type in a few random letters or digits generated in a graphical image that cannot be read by a machine. This prevents automated or electronic processes from accessing the online form.
- After the information is checked, the user is allowed to reset the password.
- The new password will be effective in 10 minutes.
- Users have to set up “secret question” before they can use this approach to reset their password.
6. Use “Alternate Email Address” and “Mobile Phone (SMS)” for Identity Verification when PIN is Forgotten (effective from June 2016)
- Staff and students can register their alternate email address and mobile phone number for resetting their HKU Portal PIN online. Through submitting an online application, they are no longer required to submit a paper application form and identity proof to request for a PIN reset.
Here are the procedures for online PIN reset:
- Staff and students enter their HKU Portal UID and staff/student no. together with a few random letters or digits generated in a graphical image that cannot be read by machines. This prevents random attempts by brute force attacks.
- To use “alternate email address” for PIN reset, an email containing a verification link will be sent to user’s registered alternate email address. User needs to click the verification link to reset PIN.
- To use “mobile phone (SMS)” for PIN reset, a 6-digit verification code will be sent to user’s registered mobile phone number. User needs to enter the code in the PIN reset form and after it is verified correct, users can assign a new PIN.
- The new password will be effective in 10 minutes.
- See http://www.its.hku.hk/documentation/guide/account/reset-pin-online for the procedures.
- Users are encouraged not to reuse their passwords.
- Users will not be allowed to use an old password that has been used in the last three regular password changes.