[tempestn]

I've found banks on average to be absolutely terrible with password security. I mentioned in another comment, my bank requires a password of exactly six characters, alphanumeric only. It's like they're trying to make it as crackable as possible. (I believe the reasoning is that they want you to be able to enter it for telephone banking using a touch tone phone, but obviously it would be far better to use a separate password for that. (Especially since I expect there's little overlap between people who use automated telephone banking and people who use internet banking...))

[girvo]

Hows this for silly: my bank has a second PIN for telephone banking (three numbers) and uses identity verification if you call over the phone... but still requires 6 alpha-numeric characters for the online banking password. Absolutely silly.

Thankfully, the damage that can be done if someone was to access my account is mitigated somewhat by the 2FA that is present; whenever a "Pay Anyone" transaction is initiated, you have to confirm it with a code that is sent via SMS to your phone.

[vegedor]

If you only have three attempts entering the PW, how is that remarkably insecure?

[tempestn]

If you only have three attempts to enter a password, even most dictionary words are secure. The problem is when the unexpected happens, and someone finds a way around that restriction. In the worst case that might mean getting a hold of a copy of password hashes. Or it might just be an exploit that lets them try more combinations over the internet. Regardless, just because there are other safeguards in place doesn't mean that password strength should be ignored.

As far as why exactly six alphanumeric characters is bad, it should be obvious, but it significantly reduces the difficulty of brute-forcing. You have 2B possibilities, total, not even taking into account dictionary attacks, which also become far easier.