Skip to content

Password Policy and Reset

Password Policy and Reset

Institutional account security is one of the core controls implemented by Hasan Kalyoncu University Information Technologies Directorate within the ISO/IEC 27001:2022 Information Security Management System framework. All users are obligated to comply with this policy.

1. Password Complexity Requirements

  • Must be at least 8 characters long (12+ characters recommended).
  • Must contain at least one uppercase letter (A-Z).
  • Must contain at least one lowercase letter (a-z).
  • Must contain at least one digit (0-9).
  • Must contain at least one special character (!, @, #, $, %, &, *, ?).
  • Must not contain your username, first name, last name, date of birth, student number, or national ID number.
  • Common dictionary words or sequential character strings (123456, qwerty, password, hku2024) are rejected.

2. Expiry Period and Password History

  • Passwords must be renewed at least every 180 days.
  • The last 5 passwords cannot be reused.
  • After 5 failed login attempts, the account is temporarily locked for 30 minutes.
  • New staff and students are required to change their password on first login.
Warning: Do not use the same password across multiple platforms (banking, social media, HKU account). Using a password manager (Google Password Manager, Bitwarden, etc.) is recommended.

3. Password Reset Methods

A. Self-Service Reset (Recommended)

  1. Go to mail.google.com.
  2. Enter your email address, then click the “Forgot your password?” link.
  3. Verify your identity using the recovery phone number or alternative email address you registered previously.
  4. Set a new password that complies with the policy on this page.

B. Request via DESK

  1. Log in to desk.hku.edu.tr.
  2. Create a new request under the “Account and Password” category.
  3. Provide your student number or staff personnel number for identity verification.
  4. The BIM team will verify your identity by phone or SMS and generate a temporary password.

C. In-Person Identity Verification

Users who cannot access their recovery information may visit the BIM office in person with their HKU ID card to have their password reset.

4. Signs That Your Account Has Been Compromised

  • Login warnings from an unknown device or location.
  • Emails in your Sent Items folder that you did not send.
  • Unexpected messages in your inbox that have been deleted or marked as read.
  • Unauthorized changes to your recovery phone number or alternative email address.
  • Files in Drive that have been deleted or had their sharing permissions changed.

5. Best Practice Recommendations

  • Keep two-factor authentication (2FA) enabled.
  • When saving your password in a browser, store it only in your institutional profile.
  • Never share your password with anyone, under any circumstances, through any channel. BIM staff will never ask for your password.
  • Always sign out after each session on shared computers.
Scroll to Top