I just told labanquepostale.fr about this issue via their internal messaging system, and they justify it by saying that I also have to input a 10 character identifier, and that their "virtual keyboard" changes the arrangement of the digits at each logon.<p>How can this be secure? If it's not, what would be good arguments to get them to think about changing it?
They often do stuff like this so it is easier to verify a customer via a phone system (e.g. "enter your pin now!").<p>But, yes, it is bad practice and lazy. They could trivially have a "phone pin" or just verify security questions over the phone like almost every other bank on the planet.<p>As nodata quite correctly pointed out, it could be made secure by locking out your account after a very short number of tries (e.g. 5). Then requiring telephone or email verification to re-enable it. That would stop brute force, dictionary, and distributed versions of the same from effectively working no matter how small the password space is.<p>In my experience companies who enforce things like a 6 character password are not the kind of who will sit there and calculate out the attempts/minute and "time to break (TTB)."<p>Plus the thing they said about their virtual keyboard shows utter ignorance and incompetence. Professional keyloggers don't literally log your keys! They hook into the network stack or browser and literally grab completed POST HTTP/s requests, so a virtual keyboard adds nothing at all security wise (and arguably makes it easier for someone to shoulder surf you, even if that threat is highly overblown and rarely exists).<p>So, yeah... Good luck convincing them. Whoever works there and making security decisions clearly is incompetent and it will likely take internal rather than external pressure for that to change.
It depends on how quickly they lock your account if the wrong password is entered.<p>If they lock it after three goes, how is a 6 digit password less secure than a 100 character password?
Well, it might be secure from their point of view but from user's (yours) definitely too anoying. I'm sure that it's not easy to update/migrate to new security system but some solutions are just crying to be updated.<p>Btw, I found this tweet that describes bank's security measures :)- <a href="https://twitter.com/webchaeschtli/status/462584313209696258" rel="nofollow">https://twitter.com/webchaeschtli/status/462584313209696258</a>