nrf51822 password on characteristic

You can do whatever you want on APP layer so if you define protocol on top of that Characteristic and implement some password verification the it will work. On BLE level you have only Security Manager methods which restrict access to certain (G)ATT objects as per link (encrypted/unencrypted) status but that is global for the link and GATT Server, you cannot make it more granular and define some additional PINs or passwords for each object...

You are right, there exist two levels on (G)ATT layer: Authorization to Read/Write and Authentication to Read/Write. It seems that authorization is what you are looking for (that depends on App proprietary state and explicit permission to execute while the other should just relate to Link state - if it uses encryption or not). See GATT Server message sequence charts here. I've totally forgotten about these and reason probably is that I've never seen this in use. Passwords are adding typically almost no security at all so if you are not able to utilize BLE security inside the stack (e.g. because it doesn't scale to fleet of many devices) then you should design proper secure channel protocol on APP layer.

You are right, there exist two levels on (G)ATT layer: Authorization to Read/Write and Authentication to Read/Write. It seems that authorization is what you are looking for (that depends on App proprietary state and explicit permission to execute while the other should just relate to Link state - if it uses encryption or not). See GATT Server message sequence charts here. I've totally forgotten about these and reason probably is that I've never seen this in use. Passwords are adding typically almost no security at all so if you are not able to utilize BLE security inside the stack (e.g. because it doesn't scale to fleet of many devices) then you should design proper secure channel protocol on APP layer.