Speaking of character limits, my bank, Swedbank Latvia, used to have a 16-character limit on passwords. After lots and lots and lots of pestering over various channels, they finally fixed it. But the "fix" was to add a maxlength attribute on an input field. So the field will accept the 16 first characters and ignore the rest (password fields are masked so the user cannot see the field is not accepting their input). So yes, I could now set my password to "SwedbankSecurityExperts", yay. But I could later log in with "SwedbankSecurityIncompetence" as well...
Well, 16 isn't so bad. Here, in France, BNP accounts must have exactly six digit passwords. They're also incompatible with password managers: you have to click the number on a visual number pad.
I've had business and personal accounts with SG, La Banque Postale, BoursoBank and CIC and they all worked with those 6-character "visual number pad" logins.
I doubt it. N26, which is granted a "new bank", doesn't have that, even though it now has an actual French subsidiary, complete with French account numbers. My password with them is way above 6 characters, and contains numbers, letters and symbols. The login page has a regular password field.
I think the others are just copycats. Someone must have come up with this first, and the others figured "yeah, that looks so secure, let's do that, too". If I had a penny for every CSO who justified some stupid "security" idea with "everybody does it, why shouldn't we?" I'd be so rich I wouldn't care about this crap anymore.
To be honest, I'm neither a web dev/designer nor do I have bad sight, so I admit I don't really know how accessibility works. I expect this to be compatible with screen readers somehow, they even say they take this seriously. But from a quick glance at the Accessibility tab in Firefox, I see many complaints about "interactive elements must be labeled".
Obviously, if the computer reads aloud the password as you type it, it's an absolute win for security, and I'm sure some PMs somewhere are quite content with a job well done.
At least you can login. Alipay in China has (or had, it's been a while) a max length of about 16 characters for your full name, but when linking to your bank account it compares with the whole string, so any name longer than 16 characters will always return false.
I've spent a lot of time in China over the years and most of their tech systems are built on the assumption that only Chinese folk will ever use it. In this case, the vast majority of Chinese people have a 2, 3 or 4 character name ('why would you EVER need 16, silly 老外?')
It's a bit of a 'Foreigner in China' stereotype to whine about how absurdly difficult it is to go to e.g. the bank or a hospital as a non-native because it happens so often.
The character limitation is also a problem in Korea. The thing that makes it worse is that your name on your alien registration card (think Green Card) is used to open your bank accounts. If they don't match you'll have a hell of a time doing any sort of online or mobile transaction since the systems are tied together. Only recently some banks have recognized this as a problem and extended the number of characters allowed.
