Finance is worse than most industries because financial institutions grow by acquisition. You make money by managing customer assets of some sort, so you're constantly buying up smaller companies, and the main corporation is this frankenstein's monster of smaller companies.

Not only does anything digital has to be transferred over, but often customers have to be persuaded to agree to new terms, which is obviously a long, complicated process.

They also have legal legacy as the government will always grandfather old accounts when the law changes. So the banks may have special accounts that are obsolete but a few customers like the perks, that could live in an old system of their own.

Plus there are various deals they've made over time that might restrict one part of the company from doing some activity, any kind of international stuff is a total mess, it goes on.

All this means they have a ton of duplication and are constantly trying to merge their internal systems, on top of the normal awfulness of any non-tech company trying to do technology.

But, in the same breath, these are the same institutions that have the highest compliance requirements. It seems crazy that when I get these random vendor questionnaires they require such strict password requirements, yet financial institutions aren't included in adhering to these best practices.

They've got lots of compliance requirements, but I don't think they're all that strict.

As a consumer, do shop around for someone who has good security practices, and point non-tech people towards them.

Theoretically, in any fraud you can get all your money back, but if the bank decides it was your fault, you have to take them to court.

One of my favorite DEFCON presentations addressed this

https://youtu.be/fhUHVGTa8mQ

In summary: there are a lot of third party products for interacting with banking data. Different versions between those products still in use. The need to enforce security based on the product/interface with the worst usability (ie: most restrictive set of functionality or most bugs to work around)

The talk specifically talks about Open Financial Exchange (OFX) as one of these legacy pieces.

Can't be pasted has changed more recently to my knowledge Can't be long is due to some OFX protocols limiting password transmission length (and sharing passwords between services in plain text!) Special characters are disallowed because some of those characters were control characters for the communication markup.

   Why is this such a common thing? 

Short answer I suspect is old systems with complicated dependencies.

In my experience with banks that did this it was to allow a mapping to 10digit keypads for bank by phone access. I haven't tried it recently, and they allow complex passwords now. When I noticed this several years ago I was able to log into my bank account via the website with the 10digit equivalent password. At least your bank balance is insured...

Even so, you could hash the password somehow in order to produce the number, which then goes into that old system.

There are always engineering solutions to such things, but I don't think most of the decisions are made in terms of "it's possible". There is always a risk/reward conversation, and a lot of conservatism in systems currently processing a large number of transaction and/or $ successfully. Perceived risk may or may not be analyzed correctly, mind.

You'd think when they have all the money the risk would be really high

It's not just banks - there's a lot cargo culting around passwords in general, and it often manifests as long and pointless lists of requirements, that often make things worse rather than better.

One recent example I had was with an online account that demanded a password reset. One of the requirements was "no two consecutive or three sequential characters". I'm still not quite sure what exactly it means, but it was tripped by any sequence of characters like "ab" or "21", and as a result, my generated 16-character password with no meaningful words in it was not accepted.

You know what passed the filters though? "secret_1".