Somewhere, in the background, there's a poor old unix mainframe running Cobol, unaware that the world around it has changed, and that it should put to pasture, where it can live out the rest of its days in peace.
I've heard of a bank actually trying to use that excuse when asked why their online banking passwords were so limited.
That is, of course, complete bullshit.
Sure, it is plausible that a bank has an old mainframe handling their accounts. It is also plausible that user account passwords on that old mainframe are only 6 or 8 characters and from a limited alphabet.
What does that have to do with customer online banking accounts? Nothing!
When you open a bank account they don't make a user account for you on their mainframe. What they make for you is an entry in an application database that their banking applications use. The only mainframe user accounts involved are the account that the database runs under and the account that the banking application runs under, both of which are the same for all banking customers.
Even if, for some strange reason, they do actually have to make a mainframe login account for each banking customer there is no reason for the banking customer to ever directly access that. Online banking is accessed through the web, so only the web server needs to access your banking account on the mainframe. They could make the website have its own password system, without the mainframe login restrictions. The restricted mainframe login information would only be known by the mainframe and the website back end. The banking customer should never deal with that.
Worse, it's probably an emulation of a Unix mainframe running the original Cobol code - with the emulator running in machine generated JavaScript in Nodejs on AWS...
"Unix mainframe" is something that never really existed, mainframes run special operating systems like z/OS. (You can run SuSE on a virtual partition under z, but not natively, and it is a recent concept.)
That is, of course, complete bullshit.
Sure, it is plausible that a bank has an old mainframe handling their accounts. It is also plausible that user account passwords on that old mainframe are only 6 or 8 characters and from a limited alphabet.
What does that have to do with customer online banking accounts? Nothing!
When you open a bank account they don't make a user account for you on their mainframe. What they make for you is an entry in an application database that their banking applications use. The only mainframe user accounts involved are the account that the database runs under and the account that the banking application runs under, both of which are the same for all banking customers.
Even if, for some strange reason, they do actually have to make a mainframe login account for each banking customer there is no reason for the banking customer to ever directly access that. Online banking is accessed through the web, so only the web server needs to access your banking account on the mainframe. They could make the website have its own password system, without the mainframe login restrictions. The restricted mainframe login information would only be known by the mainframe and the website back end. The banking customer should never deal with that.