Home » About Us » Policies & Guidelines » Password Policy

Password Policy

This policy is established in order to enhance information security for The University of Hong Kong. These requirements are necessary to help in ensuring personal security and protecting data integrity, academic and research interactions throughout the University.

The Password Policy has been refined in February 2019 and is stipulated in the following sections:

  1. Login Alert
  2. Email Notification on Password Change
  3. Protect and Strengthen the Password
  4. Account Locked after Repeated Login Failures
  5. Use “Alternate Email Address” and “Mobile Phone (SMS)” to Reset HKU Portal PIN
  6. Use “Secret Question” to Reset HKU Portal PIN
  7. Password History

1. Login Alert

Staff, students and holders of departmental accounts will be alerted through their mobile phone and/or alternate email address registered with ITS of possible password leakage when a login session (HKU Portal or HKU email) originated from an IP address outside Hong Kong is detected whereas the user has not been alerted before within the last two weeks. For retirees, graduates as well as staff and students who have not registered their mobile phone and/or alternate email address with ITS, alert will be sent to their HKU email accounts.

2. Email Notification on Change of HKU Portal PIN

Staff, students, holders of departmental accounts and retirees will receive a notification email sent to their HKU email accounts after their HKU Portal PIN is changed.

3. Protect and Strengthen the Password

  • Users should not share their HKU Portal UID (UID) and PIN and other account passwords for use by others.
  • Users should keep their PIN/passwords confidential as they are held responsible for all transactions using their UID and PIN/passwords.
  • Users are advised to change their initial HKU Portal PIN immediately.
  • When changing the PIN, users must assign a PIN with at least one letter (a-z, A-Z) and one digit (0-9) and must be of 10-18 characters.  As a good practice supported by ITS, staff and students are recommended to assign a PIN with at least 14 characters consisting of upper case letters, lower case letters and digits.

4. Account Locked after Repeated Login Failures (effective from November 2010)

An HKU Portal account will be automatically locked for 30 minutes after 8 consecutive login failures to HKU Portal.  In this case, users will receive a notification email once the account is locked. 

5. Use “Alternate Email Address” and “Mobile Phone (SMS)” to Reset PIN (effective from June 2016)

Staff and students can register their alternate email address and mobile phone number for resetting their HKU Portal PIN online in case they forget it. They can do this by logging in to HKU Portal (type “contact info” in the Search field > click the link “Register Contact Info with ITS”).     

For the procedures on online PIN reset, please refer to https://www.its.hku.hk/documentation/guide/account/reset-pin-online).  The new HKU Portal PIN will be effective in 10 minutes after a successful reset.

6. Use “Secret Question” to Reset PIN (effective from November 2010)

Staff and students can use “secret question” for resetting their HKU Portal PIN in case they forget it.  They can do this by logging in to HKU Portal (type “secret” in the Search field > click the link “Secret Question for Portal PIN”).  Please select a question to answer from the 5 pre-defined questions or define a question on their own.  Then assign an answer to the selected/defined question.

For the procedures on online PIN reset, please refer to https://www.its.hku.hk/documentation/guide/account/reset-pin-online).  The new HKU Portal PIN will be effective in 10 minutes after a successful reset.

7. Password History (effective from November 2010)

  • Users are advised not to reuse their PIN/password.
  • An old PIN that has been used in the last three resets will not be accepted.

 

Last update: 18 February 2019