My own bank used to have [A-Za-z0-9] passwords with a character limit + browser certificates. I thought the former was pretty bad (and it's always alarming, as it tends to imply they're storing it in plaintext if they even care what the characters are ...).
Then they got bought by another bank ... and now, they require *6-digit* PINs/passwords + no certificates. Yes, there's 2FA involved now, but seriously, 6 digits?
Then they got bought by another bank ... and now, they require *6-digit* PINs/passwords + no certificates. Yes, there's 2FA involved now, but seriously, 6 digits?