Why banks require such a low password entropy for web/app access?

Question

Many banks I have worked with require between 4-6 characters passwords. Some even force to use only digits.

Such a poor password is protecting your financial information, because MFA is usually not available. It's truth that when you want to perform an operation, you get a confirmation either by SMS or the mobile app, but to check information this is not required.

I'm quite curious, because banks which have implemented a lot of security features like BBVA, still use such passwords. So, probably there is a reasoning behind this, as it's most banks, not just one or two.

I refuse to believe it's due to legacy systems, because as I said, if they have implemented other security features along the way, I hardly doubt they could not deal with 20+ years old password requirements.

Answer 1

This is the usual balance between the complexity of a password and the possibility to remember it. A standard human being can remember in 4-6 digit pin code without writing it somewhere, but finding an remembering a good password is beyond the ability of many bank customers.

Of course, the password is indeed weak to brute force attacks, but the solution is to prevent such attacks by locking the account after 3 to 5 errors. More or less the same a bank card is locked after 3 erroneous code.

As far as I know, there are very few (if any) successfull attacks actually guessing the code. Many more just try to persuade the owner to just give it, by pretending being a bank employee. For that reasons banks insists that their customers should never ever give that code on phone and that they employees will never ask for it. But currently strengthening the code past 8 digit is not a concern.