openpolitics.com

Is a 6 digit numerical password secure enough for online banking?

My bank went through a major redesign of their customer online banking system recently. The way security is managed across the platform was also reviewed. The password I am able to set now to log in is forced to be 6 digits long, numerical.

.. In the case of your bank, the user name is a 16-digit number – your card number. You do generally keep your card number private. Sure, you use it for card transactions (online and offline) and it is in your wallet in plaintext – but it is reasonably private. This allows the bank to have a stronger lockout policy without exposing users to denial of service attacks.

In practical terms, this arrangement is secure. If your house mate finds your card, they can’t access your account because they don’t know the PIN. If some hacker tries to bulk hack thousands of accounts, they can’t because they don’t know the card numbers.

.. So while this arrangement is not typical, it appears that it is not so crazy after all. One benefit it may have is that people won’t reuse the same password on other sites.