Information Technology Services Centre - OnePass (CWEM) Password Policy
  • Submit
  • OnePass (CWEM) Password Policy

    The access control of most of the University applications is using username and password. Keeping comprehensive and strict password standards is important to enhance security. One of the most often-overlooked yet crucial elements to maintain the security of information assets is protecting the passwords of our users. Weak passwords are extremely vulnerable to cracking techniques such as brute force attacks. Failure to implement strong password policy means that users may be allowed to choose passwords that are short in length, based on their usernames, or just using numbers. All of these passwords are very easy to crack.


    dummy image
    1. Policy Statement

    This policy is to set a strong password to minimize the potential risk of unauthorized access to important data and unauthorized use of computing resources. It applies to all OnePass* account holders including CUHK staff, students and departments.

    *Also apply to CWEM account.


    dummy image
    1. Definition

    OnePass System - OnePass System is the brand name for the Identity and Access Management (IAM) System which is set up for enhanced security, one password for all applications, support of new applications and Single-Sign-On (SSO) since Feb 2015. A common global login page for access to applications and a self-service reset-password page are provided by OnePass System for better security and user convenience.


    dummy image
    1. Guidelines & Procedures

    The existing OnePass password policy was first endorsed by ex-IT Policy Committee in Nov 2014 and had been deployed since Feb 2015 when the OnePass System was put into production. The 180-day Password Expiration policy was later included and endorsed by IT Governance Committee in Sep 2015 and has been applied since 2 Sep 2015. After collecting user feedback, ITSC has got the endorsement from University IT Governance Committe to have the policy change as 400-Day OnePass Password Expiry

    The OnePass Password Policy is mainly divided into two parts – Account Control and Password Control. Account Control is related to the login process and password expiration. Password Control is related to enforcement of a secure password when users change their passwords.

    Account Control:

    • Accounts will be locked for 5 minutes after 10 consecutive unsuccessful login attempts. After that, it will be automatically unlocked
    • Same usernames are not allowed to login again within 5 seconds
    • Password Expiration: 400 Days 
      • Passwords need to be changed every 400 days. Email reminders will be sent to designated account holders via This email address is being protected from spambots. You need JavaScript enabled to view it. (staff or department users) or This email address is being protected from spambots. You need JavaScript enabled to view it. (student users) on 30 days prior to the expiration.
      • Users could still change their passwords, though will not be able to access any university applications, when theirs are expired.

    Password Control:

    An OnePass password must fulfill the following requirements
    • Have length between 8 and 16 characters
    • Contain at least 4 unique characters
    • Contain at least 1 letter, 1 digit, and 1 special character
    • Use only these special characters:
      ! ? . % + = ^ $ & # -
      e.g. ab!2cd34, mon=2y, BE.Best1
    • NOT reuse last 5 passwords
    • NOT contain a login ID i.e. staff or student or project ID

    Change Password:


    dummy image
    1. Reference