Is a 6 digit numerical password secure enough for online banking?

A 6 digit numerical password doesn't do much.

Why 6 Digits?

Troy Hunt has an excellent blog about being forced to create weak passwords where he talks about various bad practices including forcing short numerical passwords and puts forward the often used excuse that

“We want to allow people to use the same password on the telephone keypad”

The only valid reason to require a numerical only password is that the only input available to a user is numerical (e.g. with ATMs); (similarly the only valid reason to require a human readable password is that a human will read it - which would be a very bad sign if it was used not just for telephone banking, but for the website too).

But if that is the reason, why on earth would they force you to use the same insecure pass code online (or on mobile), when you have access to a full qwerty keyboard?

How easy to brute force the way in?

There are 10⁶ possible passwords consisting of 6 digits.

For an unskilled attacker, getting into your account is no problem at all if they have your username and unlimited attempts. You should assume they have your username. Usernames are not secrets.

Let's maybe assume the bank has thought of this, and locks each account after 3 bad tries, or perhaps initiates a robot-limiting option like a captcha to try again after that. Then the attacker still has a 3/1000000 chance of getting in to a random account within that window.

That means if they attack 1000000 accounts, they can expect to get into 3. And making 3000000 requests would not take very long at all.

Compare that to how many passwords there are with 6 alphanumeric characters (by most security standards, far too short, and not complex enough).

There are 62⁶ = 56800235584 possible 6 character alphnumeric passwords. That's still too weak but it's already 56800 times stronger!

Stored securely?

Needless to say, if the user database was breached, 10⁶ possible passwords is ridiculously low entropy, and whatever hashing and salting system they've used, they can't keep your passcode secure.

Your bank's plan in the case of a database breach is presumably to roll over and cry. Maybe they think the outcome is so bad they just aren't going to plan for it.

Assuming the other authentication method is secure, should I worry?

An attacker seeing your finance history is a really big issue; you should be worried even if the other authentication method blocking transfers is secure. And you should not expect the other method to be secure.

How much other information is leaked about you without the 2nd authentication method? Your name, address, email, maybe?

These are more than enough to start doing background research on you, to get additional info - these could be clues to your other password, or good strong information on how to phish you. They might try calling you, using the information they have on you so far to gain your trust, pretending to be the bank, and trick you into revealing other secrets about yourself under a ruse that you need to authenticate to them by answering the last few questions they need in order to get into your account.

As another example, if the 2nd authentication method is a strong password, but you (and for most customers the "you" isn't tech savvy) but the customer happens to have ever been included in a database breach for another website where they used the same username/email and password, then its game over. - This logic applies to any username/password based system, but is particularly relevant in this case because the attacker is able to discover other information about you exposed by the first insecure authentication method, and because the 2nd password is now the only barrier to them taking your money - this is one reason why industry standard is to require a 2 factor authentication on banking websites before showing the user anything.

As for industry standards; my bank have an no max length password with the ability to take special characters, and then follow it up with a 2nd passcode which can only be entered by selecting some letters from a series of drop downs (so the entire 2nd passcode isn't used in a single attempt).

I'd prefer it if my bank used an out of band 2nd authentication factor; such as a code being sent to my phone.

Unusual? Yes. Crazy? No. Read on to understand why...

I expect your bank has a strong lockout policy, for example, three incorrect login attempts locks the account for 24 hours. If that is the case, a 6-digit PIN is not as vulnerable as you might think. An attacker that tried three PINs every day for a whole year, would still only have about a 0.1% chance of guessing the PIN.

Most websites (Facebook, Gmail, etc.) use either email addresses or user-selected names as the user name, and these are readily guessable by attackers. Such sites tend to have a much more relaxed lockout policy, for example, three incorrect logins locks for account for 60 seconds. If they had a stronger lockout policy, hackers could cause all sorts of trouble by locking legitimate people out of their accounts. The need to keep accounts secure with a relaxed lockout policy is why they insist on strong passwords.

In the case of your bank, the user name is a 16-digit number - your card number. You do generally keep your card number private. Sure, you use it for card transactions (online and offline) and it is in your wallet in plaintext - but it is reasonably private. This allows the bank to have a stronger lockout policy without exposing users to denial of service attacks.

In practical terms, this arrangement is secure. If your house mate finds your card, they can't access your account because they don't know the PIN. If some hacker tries to bulk hack thousands of accounts, they can't because they don't know the card numbers. Most account compromises occur because of phishing or malware, and a 6-digit PIN is no more vulnerable to those attacks than a very long and complex password. I suspect that your bank has no more day-to-day security problems than other banks that use normal passwords.

You mention that transactions need multi-factor authentication. So the main risk of a compromised PIN is that someone could view your private banking details. They could see your salary, and your history of dodgy purchases. A few people have mentioned that a 6-digit PIN is trivially vulnerable to an offline brute force attack. So if someone stole the database, they could crack your hash, and get your PIN. While that is true, it doesn't greatly matter. If they cracked your PIN they could login and see your banking history - but not make transactions. But in that scenario they can see your banking history anyway - they've already stolen the database!

So while this arrangement is not typical, it appears that it is not so crazy after all. One benefit it may have is that people won't reuse the same password on other sites. I suspect they have done this for usability reasons - people complained that they couldn't remember the long, complex passwords that the site previously required.

Original answer

This is a bad, bad policy. There are only 10⁶ or a million different 6-digit numbers. That is so too little.

It is almost impossible to prevent an offline brute force attack, no matter how slow a hashing algorithm you use. If one attempt takes 1 second, you will crack a password in 11 days. It may also be too little to completely stop a clever online brute force attack, if the attacker can use multiple IPs (say, from controlling a botnet) and has many different card numbers to try on.

This is made worse by the fact that, just like with ordinary passwords, most people don't pick them at random. 123456 is bound to show up a lot, and so are numbers that represent dates. In practice, most passwords will have much less than 6×log₂(10) ≈ 20 bits of entropy.

I can see no reasons why you should not be allowed to pick a stronger password. This practice sends the signal that they simply do not care about security. It also makes me suspect that somewhere in their database there is a NUMBER(6) instead of a hash stored.

That payments can't be done without another factor of authentication is a bit comforting, but not much. An attacker could still see your account history, something that could contain very sensitive information and also be used for phishing.

Even if this will probably never be used against you, if I were you, I would consider switching to a new bank. Preferably one that requires two-factor authentication at login.

Further comments

There has been some discussion in comments and some good answers with another view has popped up, so I would like to elaborate and respond to some critiques.

But the usernames are secret!

According to the question, the ID card numbers (not to be confused with credit card numbers) are "almost public", and OP has clarified in comments that he has seen lists of them as "results for public sector services". In other words, the usernames are not secret. And they should not have to be – if the security of your system rests on the fact that the usernames are secret, you are doing it wrong.

Rate limit per account and/or IP number will take care of this.

A distributed brute force attack, e.g., using a botnet, would have a decent chance to break a few accounts. Let's say you have 10 000 computers, and each computer tests 3 passwords per day during a month on different accounts. That is about 10⁶ attempts. That will give you one account on average if the passwords are truly random. In the real world, you will get much, much more.

Sure, the bank could theoretically have some sophisticated system to detect and defend against attacks like this. Maybe, maybe not. As a customer, I have no way of knowing, and I certainly do not trust an organisation that can't even get the password policy right to do anything more advanced.

An offline attack is irrelevant. If the passwords are out, so are the sensitive data they are protecting.

Maybe, maybe not. There are plenty of data dumps floating around the Internet with incomplete data. To claim that the passwords will be forever glued to your account history makes some very strong assumptions on how the breach happened and how the data was handled afterwards.

Your credit card PIN is only four digits, so what does it matter anyway?

Your credit card PIN is one weak factor in a two-factor authentication. The other factor – possession of the card – makes the system stronger.

This password is a weak factor, and it is also the only factor protecting your financial information.

Conclusion

To be clear, I am not saying it would be impossible for a bank to make this system secure with other means. I am not saying a successful attack on anyone's account is likely, even less so on yours specifically. What I am saying is that this is not "secure enough" for a bank.

The bank has already gone through the trouble of setting up two-factor authentication for financial transfers. Why not just use it for logins as well?

The bank has (hopefully) already gone through the trouble of hashing a password and storing it in a database. Why not just remove the part of the code that limits the password to six digits?