BİM.PR.12 — Password Management and Reset Procedure
| Document No | BİM.PR.12 | Version | 1.0 | Initial Release | 26.04.2026 |
|---|---|---|---|---|---|
| Owner Group | Network and Security Group | ||||
| Prepared by | IT Directorate — Network and Security Group | ||||
| Approved by | Mehmet ARARAT — IT Director | ||||
| Legal Basis | KVKK Art. 12 · Law No. 5651 · TS EN ISO/IEC 27001:2022 A.5.16 / A.5.17 / A.8.5 · BİGDES | ||||
| Related Documents | KYS.POL.01 (P06 Password, P18 Authentication), KYS.POL.02, KYS.POL.04, BİM.PR.05, BİM.PR.13, BİM.PR.18, BİM.PR.27 |
1. Purpose and Scope
Within the framework of KYS.POL.01 P06 (Password Policy) and P18 (Authentication and Authorisation), this procedure defines the minimum standards for creating, using, changing, and resetting corporate passwords used to access all IT systems of Hasan Kalyoncu University.
It covers all administrative, academic, and part-time staff, undergraduate/postgraduate students, visiting faculty, and all systems accessed via portal.hku.edu.tr (Google Workspace corporate email, SIS, EBYS, LMS, campus network, VPN, library, Academic Incentive, BAP, DESK, Technical Portal, Events Portal, HKU Mobile).
2. Password Standards
| Rule | Value | Reference |
|---|---|---|
| Minimum length | 12 characters | A.8.5 |
| Complexity | Uppercase + lowercase + digit + special character (all four required) | A.8.5 |
| Special Turkish characters | Not recommended in passwords (for compatibility) | P06 s.504 |
| Mandatory periodic change — System administrator | Every 6 months | P06 s.499 |
| Mandatory periodic change — Standard user | Annually | P06 s.500 |
| Suspected compromise | Immediate change | A.5.17 |
| Password history | Last 5 passwords cannot be reused | A.5.17 |
| Account lockout | 15-minute lockout after 5 consecutive failed attempts | A.8.5 |
| Weak password check | Dictionary + common password list + name/surname/birth year rejection | A.5.17 |
| Storage | One-way cryptographic hash (bcrypt/Argon2) | A.8.24 |
3. Changing Your Password
https://portal.hku.edu.tr → Log in → Account → Change Password → current password + new password → Save. All systems synchronise within 5 minutes.
4. Password Reset
4.1 Self-service: portal.hku.edu.tr/sifre-sifirla → username + registered personal mobile number → SMS code → 2FA confirmation → new password.
4.2 In-person at Help Desk: If your 2FA device/mobile number is unavailable, visit the BIM Help Desk with your ID card. After identity verification by staff, a temporary password will be assigned; setting a new password on first login is mandatory.
4.3 Unacceptable channels: Password requests submitted by phone, WhatsApp, email, or social media are treated as phishing and will not be processed.
5. User Responsibilities (P06 + KYS.POL.04)
- Do not share your password with anyone (including BIM staff — P06 s.502).
- Do not store your password on paper, monitor edges, shared notes, or similar physical media.
- Do not use the same password for personal accounts (P06 s.526).
- Do not enable “remember password” features (P06 s.535).
- If you suspect a compromise, change your password within 24 hours and open a ticket at
destek.hku.edu.tr.
6. Service Level
| Action | Timeframe |
|---|---|
| Self-service reset | Instant |
| In-person Help Desk | Same business day |
| Written (ticket) request | 1 business day |
7. Breach and Sanctions
Pursuant to KYS.POL.04 s.55: disciplinary proceedings will be initiated and legal action applied for policy violations. Liability for unauthorised access resulting from password sharing rests with the account holder. BIM takes only technical measures (temporary suspension, mandatory reset); disciplinary sanctions are imposed by the competent boards under YÖK Disciplinary Regulations.
8. Entry into Force
Enters into force on 26.04.2026; reviewed by BIM Network and Security Group every January and July.
Hasan Kalyoncu University · IT Directorate
Osmanlı Mah. Havaalanı Yolu Üzeri 8. Km 27010 Şahinbey/Gaziantep
444 6 458 · destek@hku.edu.tr · destek.hku.edu.tr · portal.hku.edu.tr
KEP: hasankalyoncu.unv@hs01.kep.tr
This procedure has been prepared within the scope of HKU ISMS (ISO/IEC 27001:2022) and QMS (TS EN ISO 9001:2015), in compliance with KYS.POL.01–KYS.POL.05 policies.