I complained to my bank that their 12 character password limit suggests they are storing passwords. Their reply was little more than don't worry about it, you aren't responsible for fraud. I asked for them to add some kind of second factor authentication (I'm a fan of TOTP systems) and was told they are thinking about making that available for their business accounts.

It bothers me that my most valuable login is probably my weakest.

I'm glad they fixed this, but until relatively recently (last year), Charles Schwab had the following password requirements:

* between 6 and 8 characters

* alphanumeric

* no symbols

* case-insensitive

[1] is a nice writeup of exactly how broken this was until they changed it recently.

[1] - http://www.jeremytunnell.com/posts/swab-password-policies-an...