Or they have a web front end that goes over to an old mainframe.

tzs · on May 6, 2014

I don't buy that as an explanation for ridiculous password limitations.

It is true that mainframe timesharing systems often had password requirements that are considered weak by today's standards. However, there is no reason for bank customers to even have accounts on the mainframe. Bank customer accounts have nothing to do with mainframe user accounts.

There is no good reason for any mainframe password restrictions to leak into the public facing web front end. To the mainframe, the web password should just be a data field in a database [1], and mainframe databases can easily handle data fields of sufficient length to support modern password best practices.

[1] Or rather, the output of hashing (with something like bcrypt or better) is just a data field in a database.

lurkinggrue · on May 7, 2014

I agree but it wouldn't surprise me if they did it all wrong and were just passing credentials.