New Password Policy to Enhance Information Security
A new password policy has been put in place since July 2010 for enhancing the information security in the University. Under this new policy, a number of enhanced security measures are being enforced to help reinforcing password security, protecting data integrity in central computer servers and preventing users from using weak and easily guessed passwords without regular changes.
The new password policy has been implemented in two phases. Phase One was launched on 15 July 2010 and Phase Two will be rolled out in early November 2010.
Below is a recap of the measures taken under Phase One of the new password policy:
1. Regular Password Change (every 180 days)
- A mandatory change of HKU Portal/Enterprise Portal PIN is instituted on a regular basis of every 180 days.
- Daily reminders will be sent to account holders 31 days before the password expiry until the password is changed before the expiry date.
- HKU Portal/Enterprise Portal accounts will be automatically disabled if the password is not changed before the expiry date.
2. Email Notification on Password Change
- A notification email will be sent to the account holder whenever his/her HKU Portal/Enterprise Portal PIN is changed.
3. Strengthen the Password
- Users are advised to change their initial HKU Portal/Enterprise Portal PIN immediately.
- When changing the PIN, users must assign a PIN with at least one letter (a-z, A-Z) and one digit (0-9) and must be of eight characters.
As we are supporting a large population, the Regular Password Change will be effected on staff and students in different batches. When the measure is enabled for a user, he/she is required to change the HKU Portal PIN (password) in every 180 days. He/she will receive a reminder message one month before the password expiry date. The 180-day expiry period will be reset for counting again whenever the PIN is changed.
The following measures of Phase Two will be rolled out from early November 2010:
4. Account Locked after Repeated Login Failures
- A HKU Portal account is automatically locked after eight repeated login failures to HKU Portal and no further login attempts will be allowed within 30 minutes.
- A notification email will be sent to the user when the account is locked.
5. Introduction of "Secret Question" for Identity Verification
- A "secret question" approach is implemented through which users can make use of this self-help mechanism to verify their identity when they forget the passwords. This would eliminate the use of paper form and the lead-time required in processing. Staff and students can register for this service for their convenience.
6. Password History
- Users will not be allowed to use an old password that has been used in the last three regular password changes.
For questions related to the above, please feel free to contact the undersigned.