As far as I can tell, these limits apply to passwords, but not to security questions. Maybe we should just put passwords into the security answer field as well (since the bank will almost always ask for a security question/answer if you're logging in from a different computer than normal).