[raesene2]

For uk banking systems it is very likely that the passwords are stored symmetrically encrypted with the key stored in an HSM (based on my experience working as an IT security consultant in UK banks).

Whilst limiting passwords isn’t good, with storage in that way i’m nt sure I see many viable attacks on a 12 char random password.

Online brute force will hit the lockout on the site, and even assuming you could get access to the server hosting the encrypted passwords and HSM you cant decrypt the passwords (unless they have made some horrific setup errors), so the only offline attack is to try and brute force the encryption key, which is unlikely to be easy.

[pmontra]

I'm not familiar with HSM [1] but is any internal attack possible, like bribing an employee or getting a trojan on somebody's computer inside the bank?

This is a HSM for people like me a few minutes ago:

[1] https://en.m.wikipedia.org/wiki/Hardware_security_module

[raesene9]

So obviously in cases of personnel threats you need different controls.

On HSM setups I've seen the keys are under dual-control (i.e. two different people have half the key and in the event that it needs re-entered, both have to enter their keys independently), along with other general controls (hiring background checks etc)

That's not to say it's impossible, just there are controls in place.

Now in all this I'm not trying to suggest that bank security is perfect, it's obviously not, but that particular concerns about password strength and threats of attack on this could be misplaced, due to lack of understanding of the controls in place.