Banks Are the Worst
If you use a password manager, you've run into this: you try to create a strong, unique password for your bank — and it gets rejected. Too long. Too many special characters. Can't use your preferred format.
This isn't an accident. It's a policy choice. And it's one of the most dangerous policy choices in consumer software.
The Legacy System Excuse
Banks often blame legacy systems. The authentication infrastructure at a major bank may date back decades, built when 8-character passwords were considered secure and the concept of a password manager didn't exist.
That explanation is real. But it's not an excuse — it's an indictment. Companies with the largest security budgets on earth have chosen not to modernize the systems that protect their customers' accounts.
What Actually Happens
When your bank limits you to 12 characters:
- You can't use a strong generated password (most are 20+ characters)
- You end up with a password you can remember — which means weaker
- If you use the same password elsewhere and it gets breached, your bank account is exposed
The password restriction is a direct risk to your financial security. Not a hypothetical risk. A real one.
What Good Banking Security Looks Like
Banks that score well on PassFail have figured this out:
- Long password support (64+ characters)
- Hardware key MFA (FIDO2/WebAuthn)
- No paste blocking
- Breach notification systems
- Clear security documentation
It's achievable. Some banks do it. The rest are making a choice.