[chimeracoder]

>Banking sites are one common place ...

I can't tell you the number of times I've tried to explain to banks that 'security questions' are absolutely worthless, and that their 'secure password' policy is actually worse than no policy at all.

One bank actually requires passwords to be between 6 and 8 characters in length, with at least one letter and one number and no special characters.

[loeg]

Yep. In my experience, banking and financial websites have much worse password policies than the web at large. E.g., fidelity.com has a maximum password length of 12 characters. USAA has a maximum password length of 12 characters.

What the fuck.

[ch0wn]

This is exactly what my bank requires. Worst part after I told them that this is irresponsible: A few years ago they only allowed a 5-digit PIN for their web login.

[lloeki]

Mine used to beat yours by one, as the code was by default the actual PIN of my credit card, while the username itself was 6 digits. It's so... vile I can't even begin to describe it.

[vog]

That's okay as long as the account is inactivated after 3 failed login attempts. Which is, of course, only sensible for banks which have local branches where you can re-activate your account.

For a pure online bank this would be irresponsible, indeed.

[chimeracoder]

It's not even okay then. If I know that the universe of possible passwords is so small, it's possible to use that to allow me to crack the encryption much more easily (for example).