Re: And what can you do...
I've yet to find a banking site that has actually put any thought whatsoever into passwords.
Some boneheaded ones that reveal serious underlying issues:
- characters such as %, &, @ and even * being blacklisted.
- maximum limit of 10 characters
- account lockout after 3 attempts
The first one shows that they don't properly sanitize their inputs and certainly don't hash the passwords prior to storing them in the database. Any typeable character on a keyboard ought to be allowed. There's simply no reason in today's world to have black listed characters unless you truly have no idea what you are doing.
The second one says that they are using an archaic database and haven't quite figured out that there are plenty of people using much more secure "pass phrases" instead.
The third one basically shows that they don't realize that people may have a dozen or so passwords across all their service sites and often take several attempts to remember which one goes here. I can understand locking the account after say 20 attempts, but 3 is just not enough. It's worse when you have to call them to get it fixed and banking hours don't quite work with when normal people need access.