The access control of most of the University applications is using username and password. Keeping comprehensive and strict password standards is important to enhance security. One of the most often-overlooked yet crucial elements to maintain the security of information assets is protecting the passwords of our users. Weak passwords are extremely vulnerable to cracking techniques such as brute force attacks. Failure to implement strong password policy means that users may be allowed to choose passwords that are short in length, based on their usernames, or just using numbers. All of these passwords are very easy to crack.
*Also apply to CWEM account.
Guidelines & Procedures
The existing OnePass password policy was first endorsed by ex-IT Policy Committee in Nov 2014 and had been deployed since Feb 2015 when the OnePass System was put into production. The 180-day Password Expiration policy was later included and endorsed by IT Governance Committee in Sep 2015 and has been applied since 2 Sep 2015. After collecting user feedback, ITSC has got the endorsement from University IT Governance Committe to have the policy change as 400-Day OnePass Password Expiry
The OnePass Password Policy is mainly divided into two parts – Account Control and Password Control. Account Control is related to the login process and password expiration. Password Control is related to enforcement of a secure password when users change their passwords.
- Accounts will be locked for 5 minutes after 10 consecutive unsuccessful login attempts. After that, it will be automatically unlocked
- Same usernames are not allowed to login again within 5 seconds
- Password Expiration: 400 Days
- Users could still change their passwords, though will not be able to access any university applications, when theirs are expired.
Password Control:An OnePass password must fulfill the following requirements
- Have length between 8 and 16 characters
- Contain at least 4 unique characters
- Contain at least 1 letter, 1 digit, and 1 special character
- Use only these special characters:
! ? . % + = ^ $ & # -
e.g. ab!2cd34, mon=2y, BE.Best1
- NOT reuse last 5 passwords
- NOT contain a login ID i.e. staff or student or project ID
- Users can change their Onepass passwords at http://cai.itsc.cuhk.edu.hk/chgpwd/
- If users have forgotten their passwords, they can
- Reset their passwords through “Onepass Personalized Security Questions” provided that they have set up this facility before.
- Request for a new password by contacting ITSC
- If user passwords expire, they can
- Once changed, users will need to change their passwords again every 400 days.
Information Technology Services Centre