According to the recommendations of the National Cyber Security Centre, the UK Government and the National Institute of Standards and Technology, Department of Commerce, USA, the periodic password-change requirement may not necessarily be an effective measure of protection against leakage of passwords because of technology advancements applicable to hacking.
After considerable discussions and consultations among user advisory groups, ITS announced in early February that an update of the password policy (for the HKU Portal PIN) would be effected by withdrawing the requirement of 180-day periodic password change starting from February 18, 2019. Associated with this change is a new security measure for alerting users of possible password leakage. When a login session (HKU Portal or HKU email) of a user originated from an IP address outside Hong Kong is found while such a login from non-Hong Kong IP address has not happened before in the last two weeks, the user will receive an alert message through mobile phone SMS and emails. In addition, users would also receive alerts for cases of access to their accounts from IP addresses of multiple geographically distant places within a short period.
Staff and students who have not yet registered their mobile phone number and/or alternate email address for receiving alerts from ITS are advised to do so. This can be done by login to HKU Portal (type “contact info” in the Search field, and then click the link “Register Contact Info with ITS”.)
Despite the changes as described above, staff and students are reminded to set up a strong HKU Portal PIN for mitigating the risk of their password being hacked by brute force attacks.
For more details about the updated password policy, please refer to the following website:
P T Ho
Director of IT Services
Tel: 3549 5223