Unfortunately, many banking web sites require short passwords with no special characters. Likely, due to legacy databases and storage. I've even seen 6 character max restrictions. Or worse, the 4-digit pin ones (10,000 combinations yikes, I sure hope they have a limit and lockout for incorrect guesses).
Oh god, PIN codes... Two years ago my girlfriend and I had to go to our banks and get cash. Luckily they're right across the street from each other, so we walk in to mine first. I go to the ATM, tap in my pin, do my thing and we move across the street. I'm standing by the door while my girlfriend goes to the machine. I'm still fiddling with the receipts in my pocket and whatever when I hear something. The ATM, plastered in signs to cover your screen, not let anyone see you putting in your pin, etc.– was calling the tones on the speaker. Anyone who cared to listen could hear her pin. I've yet to encounter another machine that does that, but man– if I ever got a hold of the who decided that a 4-digit pin was a good idea for security there would be quite an unpleasant exchange...
That would be Caroline Shepherd-Baron [1234] 'One by-product of inventing the first cash machine was the concept of the Pin number.
Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.
"Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,"'
My bank upgraded from a 4-digit pin code authentication to a 6-letter ([a-zA-Z0-9]{4,6}) system. About legacy databases ...
Naturally, I complained and they told me it wasn't that big of a deal, because the actual transactions were protected by TAN generators. I had no answer to that.
Maybe I'm confused, but are they saying that you do use independent 2-factor authentication? If so, then that does reduce the risks associated with a weak password, even if it would be better to use a strong password in combination.
Sorry for being unclear. For the actual transactions, there is a TAN required, but for sniffing around your transactions, seeing all your bank account information and so on, all you need to log in as the 6-letter password.
