One thing that tends to be more or less ignored: The defenses that banks deploy to protect themselves against the bad passwords that they force their customers to use are not intended to help the customer, very much the opposite, they are a vulnerability in themselves.
Specifically, the tendency to lock an account after a few wrong login attempts is effectively a DoS vulnerability for the customer, as it allows anyone who knows your username (which often even is just the account number, so essentially public information) to trivially prevent you from accessing/using your money.
Their only focus is on preventing third parties from accessing my money, but my interest is not that third parties can not access my money, my interest is that I can access my money, which means both not having it taken by third parties, but also not having it taken temporarily by the bank who want to protect themselves (if the bank locks me out from my account, that's functionally equivalent to them taking all my money out of my account for a day or two (or however long it takes to reactivate the login) - while I am locked out, I can pay just as much as when there is no money in the account).
True, but mostly besides the point? I mean, not only can you not freely substitute debit cards or paper checks for wire transfers, but also you potentially cannot even access funds in some savings account, say, through any of those, plus there obviously are many more services that banks provide that have nothing to do with payment, but which are affected by the same problem. Read some bad news and want to sell some stocks before the price plummets? Not today, you have been locked out for security reasons!
Specifically, the tendency to lock an account after a few wrong login attempts is effectively a DoS vulnerability for the customer, as it allows anyone who knows your username (which often even is just the account number, so essentially public information) to trivially prevent you from accessing/using your money.
Their only focus is on preventing third parties from accessing my money, but my interest is not that third parties can not access my money, my interest is that I can access my money, which means both not having it taken by third parties, but also not having it taken temporarily by the bank who want to protect themselves (if the bank locks me out from my account, that's functionally equivalent to them taking all my money out of my account for a day or two (or however long it takes to reactivate the login) - while I am locked out, I can pay just as much as when there is no money in the account).