Strengthening Web Account Protection on

by Wilson Wong

It is always recommended that a strong password should be used to resist guessing and brute-force attacks and lower the risk of security breach. An account with a weak password, such as a word in dictionary, can easily be broken by a hacker. He/She may then read, modify or delete all your files and even use your account to attack systems in the university. You may then ask: how do I know if my password is strong and good enough?


If you do a search on the internet for “password recommendations”, you will find many all over the world. To summarize, a strong and good password:

  • is not listed in dictionaries of any languages;
  • is not a regular word with a number tacked onto the end;
  • is not a regular word written backwards;
  • is easy to remember, i.e. no need to write it down;
  • contains at least 8 characters long;
  • contains upper and lower case letters, digits and symbols;
  • should be changed regularly.


There are also some hints on how to choose a strong/good password:

  • Make a sentence that is meaningful to you only, such as “I joined City University in 2011”. Then use the first letter of each word of the sentence and replace “0” (zero) with “O” (capital o), “1” with “l” (small letter L) or “!”, “a” with ‘@”, etc. The above sentence will then generate a password “IjCUi2O!!”.
  • Choose a short phrase that is meaningful to you only and spelt phonetically, e.g. “I care for you!” may become a password ‘‘AiKair4u!’.


To comply with the requirements as recommended by the Internal Auditor to strengthen access protection for web accounts, one of the measures on use of more restrictive passwords has been enforced on From now on, a valid password has to conform to the following format:

  1. At least 8 characters long
  2. Contains at least 1 upper case (capital) letter
  3. Contains at least 1 lower case letter
  4. Contains at least 1 digit
  5. Contains at least 1 special character, for example ( ) < > / \ [ ] $ %


The following best practice has also been enforced:


a) The maximum number of login retry is 5, and the account will be locked even when the correct password is entered on the 6th time. This is to avoid password hacking. Should the account be locked, please contact the Computing Services Centre (CSC) to release it.

b) The maximum age of password is 26 weeks. You will be prompted to change password after 26 weeks, and please note that the 10 passwords used previously cannot be reused.

c) The new password must have at least 3 characters different from the current password.

d) The minimum interval between password changes is 1 week. This is to avoid frequent reuse of favorite password. Should you have genuine need to change password again within 1 week, please raise a CSC Work Request.


If there is a need to share your password with co-workers on ad hoc matters, do change the password immediately afterwards. For regular tasks where the web account is used by two or more colleagues, agreeing on a password that can be remembered by all personnel is recommended. Do not write it down or post it on monitor, bulletin board and log book. Nevertheless, no matter how strong your password is, do avoid having it remembered by computer applications e.g. web browser, mobile phone. Adding a screen saver with password protection is also advisable.