Citizens Bank

Name: Citizens Bank Password Policy Grade
Item: Citizens Bank
Rating: 5
Author: PassFail.wtf Community

https://pay.citizensbank.com ↗

banking⚠ Unverified⚠ Needs re-verificationLast tested 2mo ago

53/110

48%

53/110

0 verifications

Share:Post Bluesky Reddit LinkedIn

Category Breakdown

Category 1

Password Length Policy

10/20

8–24 chars

Category 2

Character & Composition Rules

0/20

Silently rejects & character; manual email verification required

Category 3

Multi-Factor Authentication

8/25

SMS 2FA available

Category 4

Anti-Pattern Penalties

20/20

Category 5

Password Manager Compatibility

15/15

Category 6

Breach Response & Credential Hygiene

0/10

What They Should Fix

✗

Password length restrictions are too tight

Allow minimum 8 chars, support up to at least 64 characters (preferably unlimited)

Reference: NIST SP 800-63B §5.1.1

✗

Overly restrictive character rules

Accept all printable ASCII and Unicode characters. Remove composition requirements (no "must contain uppercase + number")

Reference: NIST SP 800-63B §5.1.1

✗

Weak or missing MFA support

Implement TOTP (authenticator apps) and FIDO2/WebAuthn hardware keys. Work toward passkeys as a passwordless option

Reference: NIST SP 800-63B §4.3.1

✗

No breach detection

Check new passwords against known-breached lists (e.g. HaveIBeenPwned API). Notify users of relevant breaches

Reference: NIST SP 800-63B §5.1.1.2

Community Verification

Help the community by testing this policy yourself. Earn +5 karma for each verification.

Comments (0)

No comments yet. Be the first to share your experience.