[rstuart4133]

> max 6 character (alphanumeric) no symbol password policy

You forgot to add case isn't significant. Still, even such small passwords can be secure if managed right. It's been that way for many years, and I don't recall seeing anything about it being broken, so I guess it must be work ok. I doubt the ombudsman would care.

On the other hand, every 10 or 20 logins, after logging in it doesn't display the internet banking home page. Instead it displays the home pages CSS stylesheet. That behaviour has also been there for years. I don't know how you even do that.

[frupert52]

The problem isn’t that the passwords are small, it’s that they aren’t being hashed. I wonder what level of data they are storing in plain text then?

Also if they aren’t able to accept other characters, I wonder what happens when you try?

I’ve worked “across” core payments(not banking) systems with the card schemes, westpac, St George etc. So I would say I’ve seen how bad things can get but your bank sounds like something next level.

[rstuart4133]

> The problem isn’t that the passwords are small, it’s that they aren’t being hashed.

How do you don't know they aren't hashed? Any what does that mean? Does it mean that are using DIGEST to avoid sending plain text over the https transport, or they aren't using key expansion for storage?

And does it matter? If someone gets into their internal systems leaked plain text passwords will be the least of their problems. Total deposits are $500 billion.

> I wonder what happens when you try?

Most people try, because they don't believe the restrictions. The answer is nothing out of the ordinary, of course. As I said, as far as I know it's never been broken. Which is kinda surprising, because their web site has more bugs than most. But it appears they've got that part right.

By the way, 6 alpha-numeric characters makes for about 1 billion combinations. The odds of guessing in it a few random goes are virtually nil, and then you are locked out and have prove your identify by via a third channel. Providing they police the max tries well, it's pretty secure.

> your bank sounds like something next level.

All the large banks hopeless. They are an absolutely nightmare to deal with on every level. This bank has been prosecuted by the Federal Government for AML violations - but again most of them have been prosecuted for grievous unethical behaviour. That doesn't make them insecure.

The OP is wrong about SMS 2 factor - they do support other methods, and insist on it once certain circumstances. The banks do protect themselves. In Australia, the history has been if they are forced to make up their customers losses. It takes years of investigations, and a lot of suffering in the mean time on the victims part. But the precedent is well established - karma is a real thing here, and the banks behave accordingly.