Password Policy

This policy is established in order to enhance information security for The University of Hong Kong. These requirements are necessary to help ensure information security and protection of data integrity. 

The Password Policy has been refined in February 2019 and is stipulated in the following sections

1. Login Alert

Staff, students and holders of departmental accounts will be alerted through their mobile phone and/or alternate email address registered with ITS of possible password leakage when a login session (HKU Portal or HKU email) originated from an IP address outside Hong Kong is detected whereas the user has not been alerted before within the last two weeks. For retirees, graduates as well as staff and students who have not registered their mobile phone and/or alternate email address with ITS, alert will be sent to their HKU email accounts. 

2. Email Notification on Change of HKU Portal PIN

Staff, students, holders of departmental accounts and retirees will receive a notification email sent to their HKU email accounts after their HKU Portal PIN is changed. 

3. Protect and Strengthen the Password

  • Users should not share their HKU Portal UID (UID) and PIN and other account passwords for use by others. 
  • Users should keep their PIN/passwords confidential as they are held responsible for all transactions using their UID and PIN/passwords. 
  • Users are advised to change their initial HKU Portal PIN immediately. 
  • When changing the PIN, users must assign a PIN with at least one letter (a-z, A-Z) and one digit (0-9) and must be of 10-18 characters.  As a good practice supported by ITS, staff and students are recommended to assign a PIN with at least 14 characters consisting of upper case letters, lower case letters and digits. 

4. Account Locked after Repeated Login Failures

An HKU Portal account will be automatically locked for 30 minutes after 8 consecutive login failures to HKU Portal.  In this case, users will receive a notification email once the account is locked.  

5. Reset PIN

Staff and students can register their alternate email address and mobile phone number or set up a secret question for resetting their HKU Portal PIN online in case they forget it.  

To register alternate email address/mobile phone number:  

To set up a secret question: 

To reset PIN:  

6. Password History

  • Users are advised not to reuse their PIN/password. 
  • An old PIN that has been used in the last three resets will not be accepted. 

MFA

Multi-Factor Authentication

February 2024
February 2024

Mandatory for all staff accounts

May 2024
May 2024

Mandatory for all student accounts