My bank has a catchphrase Your Security - Our Priority, but their online password policy doesn't seem to reflect that. I had to set a password for online access this morning and found that I was forced to specify a password of exactly 6 characters with no special characters (no even spaces, periods, etc.), no option for a second factor.
Is there some technological reason for this? Maybe limitations of old backend systems that they are still using?
PIN length The standard specifies that PINs shall be from four to twelve digits long, noting that longer PINs are more secure but harder to use. It also suggests that the issuer should not assign PINs longer than six digits.
PINs are not exclusively used for card access. I suppose they chose the PIN format because you can enter those on old clunky cell phones.
I imagine that they will lock you out after a few failed attempts, so six digits might actually be enough. You should not think of this the same way as accessing a web site with a password. Are you required to enter the number using a registered device, or can you access it from any machine? If the latter, I would be more worried about denial of service attacks because people can lock other people or of their accounts.
At my bank I have a separate PIN for telephone banking, or at least I use that PIN when I have to telephone them for support. (Which happened last month when I forgot what I told them my "favourite magazine subscription" was and so I was locked out of on-line access to my account.)
But a 6-character password for all access? That does sound a bit like it's driven by an old back-end system to me too.
Yes, but then what you can do with that online banking system?
Quite a few systems I know, let's say you want to transfer money from account A to account B, would require to know:  your card pin code  have portable physical device to read card and issue special one off code  have your debit/credit card physically with you - in that sense, short pin is ok, not much you can do anyway with it without having , yeah - check balance, transfer money between your personal accounts, but that's not much useful for a fraudster.
I use phone app to accomplish my banking operations, and i use 6 digit pass code too. But in order to obtain that, I had to go through certain process which required also . After connecting I can transfer money only to the accounts I configured in my full online banking account (via web, to connect  is needed). In case I want to do transfer (via phone app) to account which is unknown to my banking system, I need to do  again.
BUT, if after all your system requires only 6-digit pass code and then you can do pretty much everything from there without anything else, then it is time to reconsider bank you are using. Such system would sound like -10 years in technology.