According to the recommendations of the National Cyber Security Centre, the UK Government and the National Institute of Standards and Technology, Department of Commerce, USA, the periodic password-change requirement can be withdrawn since it won’t be an effective means for protecting leakage of passwords due to technology advancements that can be used for hacking.
After considerable discussions and consultations, the password policy (for the HKU Portal PIN) will be updated by withdrawing the requirement of 180-day periodic password change, starting from February 18, 2019. In tandem with this change, ITS will effect a new security measures to alert users, through their mobile phone and/or the alternate email address registered with ITS, of possible password leakage when a login session (HKU Portal or HKU email) originated from an IP address outside Hong Kong is detected whereas the user has not been alerted before within the last two weeks. In additions, users would also be alerted of cases of access to their accounts from IP addresses of multiple geographically distant places within a short period of time.
For staff and students who have not yet registered their mobile phone number and/or alternate email address for receiving alerts from ITS, please do so by login to HKU Portal (type “contact info” in the Search field > click the link “Register Contact Info with ITS”.)
Despite the changes as described above, staff and students are advised to keep using a strong HKU Portal PIN for mitigating the risk of their password being hacked by brute force attacks.
Director of IT Services