Password policy

This Password Policy aims to establish the guidelines and minimum requirements to create, manage, use and protect passwords in the information systems that FREMAP makes available to external users, and it is mandatory for all of them.

In order to ensure an adequate level of security, all passwords used to access FREMAP applications must meet, at least, the following criteria:

  • Have a minimum length of eight (8) characters.
  • Include at least one capital letter (A–Z).
  • Include at least one lowercase letter (a–z).
  • Include at least one digit (0–9).
  • Do not include the user's account name or parts of the user's full name in more than two consecutive characters.
  • Be significantly different from the 3 previous passwords used.

Passwords are strictly personal and non-transferable. The following is forbidden:

  • Sharing passwords with third parties under any circumstances.
  • Writing down passwords on paper or in unencrypted files or using other insecure means.
  • Storing passwords in browsers, applications or tools that do not meet security standards.

Passwords must be changed at least every 365 days or when there is suspicion or evidence of compromise, unauthorised access or a security breach.

The system will automatically block the account for 10 minutes after 3 consecutive failed attempts. The applications provide users with the means to reset their password online.

Failure to comply with this policy may result in:

  • Revocation of access.
  • Legal action if the breach causes damage or generates liabilities for FREMAP.

This policy will be reviewed periodically to ensure its compliance with current legal, regulatory and technological requirements.

This Password Policy is established in accordance with the provisions of Royal Decree 311/2022, of 3 May, regulating the National Security Scheme (ENS), and, in particular, with the basic principles and protection measures relating to access control, authentication and credential protection, applicable to information systems that provide services or process information in public sector entities or collaborators thereof.