That's nothing, mine's a 5 digit pin code which they only validate 3 of in a random order (to annoy keyloggers, I assume) plus the last 4 digits of my phone number.

Edit: This feels like the scene where Mel Gibson and Rene Russo compare scars in Lethal Weapon 3.

"This feels like the scene where Mel Gibson and Rene Russo compare scars in Lethal Weapon 3."

You might also refer to the scene from Jaws(1975) where Hooper and Quint compare scars: http://www.rowthree.com/2011/10/18/finite-focus-competitive-...

Sounds like AIB. If you use the app they don't even ask for the last 4 digits of your phone number.

Bingo. I wonder what their brute force protection is like, but I'm not going to go pentesting the login of a company I'm in the same legal jurisdiction as.

Well if you don't cross state lines, they're less likely to get the FBI involved...

It's an Irish bank, which means I won't be crossing any state lines ;)

Yeah, similarly, Lloyds/HBOS in the UK do allow you to have a master password but you also need to fill out a "memorable information" where you select 3 random characters from a second password. But you don't type them, you select them from a drop down. I can see how this would annoy the most basic of keyloggers but it is also a UX disaster and not suitable for decent loggers. Pisses me off.

My bank not only allows a maximum of 6 characters, but it truncates all characters beyond 6 when processing the login form. If my password was "passwd", they would accept "passwdjdodw89wawlks".

My bank secretly truncates your password to the first 12 characters. The login form processes all characters. I found this out because I couldn't login after having "successfully" set my password to 32 random characters. Luckily customer support was able to confirm the first 12 characters of the password over the phone.

Fun times were had by all!

My bank uses a 6 digits pin code...

At least you have to enter the code in a virtual numpad that is randomized after each connection on their webpage.

I guess they settled for this measure so it does not annoy their less "tech-savvy" customers. I am baffled to see banks working with such low security practices in general ("admin"-like access on your bank accounts by any employee, checking money transfers AFTER executing it,...).

One bank that I'm not going to identify is particularly scary. Predictable account number (sequential, I think) + 4 digit PIN. Even if they lock individual accounts after X retries, nothing prevents a well-distributed botnet from gaining access to an account (on average) every 10,000 attempts.

There was a recent post analyzing the distribution of 4 digit PINs, and using that I think it was something like 20 guesses would give you a 10% chance of access.