Password Policy

    1. Introduction

    Passwords are classified as secret information and are the most common form of protection from unauthorized access. A poorly chosen or protected password compromises the confidentiality, availability, and integrity of FCA Group information.

    Users are responsible for all activities performed with the combination of their user ID and password. This policy aids in creating and managing secure passwords.

    2. Purpose and Scope

    The purpose of this policy is to provide the minimum requirements for the creation, use and protection of passwords.


    This policy applies to all FCA Group employees, affiliates and all other individuals or companies such as external partners or suppliers who have access to, or are responsible for, FCA Group information regardless of its form or medium.
    The requirements of this policy are in addition to the requirements of the Corporate Information Security Policy. This policy will be enforced according to the requirements of enforcement within the Corporate Information Security Policy.

    This policy supersedes all previous policies, standards, and guidelines related to passwords.

    3. Password Requirements

      1. Password Creation and Maintenance

      1. Passwords must be min 10 and max 15 characters in length.

      2. Special character (#) pound not allowed in the first position of password.

      3. Characters used in passwords must be a combination that meets ALL of the 3 criteria listed below:
        • uppercase letters (A-Z),
        • lowercase letters (a-z),
        • numbers (0-9)
        and the following OPTIONAL CRITERIA:
        • special characters: At sign (@), Pound Sign (#), Dollar Sign ($), Ampersand Sign (&), Asterisk (*), Percent Sign (%), Question Mark (?), Equal Sign (=).

      4. The users T-ID can not be embedded in the passwords. For example: *T1234ab or T1234ab&.

      5. Users must not choose passwords that are easily associated with FCA Group or the user. Examples: user ID, Social Security number, CID, TID, address, numerical equivalent of name, family names, pet names, etc.

      6. It is recommended that passwords are NEVER reused.

      2. Protecting Passwords

      1. Users must not use the "Remember Password" feature of applications such as Internet Explorer.

      2. Users must never write down passwords.

      3. Passwords must not be shared with anyone.

      4. There is no FCA Group Process that requires you to give anyone else your password. If someone demands a password, refer them to this policy. If this happens frequently, the local Security function must be informed.

      5. FCA Group passwords should never be used for private or public accounts. Administrative passwords should never be the same as personal passwords.

      6. Individuals should open a trouble ticket with the FCA Group Service Desk if they have reason to believe a password has been compromised.

      3. Password Review

      1. ITM Information Security functions may perform random password testing according to local privacy laws and local regulations.

      4. Responsibilities- Data/Application Owner and Information Custodians

      1. The password policy applies to all FCA Group systems and applications, including purchased software.

      2. All main authentication systems and systems handling confidential or higher classified information must support this policy by enforcing the password rules. Additionally appropriate logging of failed logon attempts and password change actions must occur. Detailed information is available in the Password Enforcement Standard.

      3. Applications must not allow the "Remember Password" feature.

      4. Passwords must be stored and transmitted in an approved hashed or encrypted format.

      5. Reset passwords must be communicated in a secure manner to users via a process that causes the user to retrieve the password only after being authenticated.

    4. Associated Policies and Standards

      1. Policies

      1. Authentication and Authorization Policy

      2. Information Data Classification

      3. Encryption Policy

      2. Standards

      1. Password Reset and Storage Standard

      2. Password Enforcement Standard

      3. Administrative Password Standard

    5. Guidelines

      1. Password Creation

      1. Mnemonic phrase based passwords: Choose a phrase that is easy to remember and use the first letter of each word and punctuation to build a password. For Example the Phrase: Money does not grow on 1 tree but security does not come for free! Password: Mdngo1tbsdncff!

      2. A combination of substitution and compound words: Join two unrelated words together and substitute 0, 1, 3 and 5 for letters o, l, e and s respectively. In addition, use mixed capitalization and special characters. For example: policy apple Password: P01Icy@ppl3

    6. Exceptions

      1. General Exceptions

      1. There are urgent, comprehensible reasons that passwords have to be written down. In this case the user must follow the guidelines outlined in Corporate Process Guideline SSC200 Information Usage and Handling.