Ever call Fidelity phone support and hear "enter your password on the keypad"? That means collapsing ~62 chars into 10 char options, a massive space reduction.
Then there's the fact that many banking sites (BofA, IIRC) only used the first 8 char of your password anyway.
Yikes, I didn't know that. Seems like I need to make my fidelity password 6 times longer.
Does this also mean they probably store passwords in clear text? Because there's no way to normalize the numeric passwords back to letters and symbols.
It doesn't mean that they store in cleartext, but they may as well.
They can generate the phone password on the client side and send both passwords to be salted, hashed, and stored separately.
That much seems OK.
But the salted+hashed phone password is incredibly weak. It can be brute forced readily unless it is very long.
From the brute forced phone password, the regular password can be brute forced as well, since the digits of the phone password tremendously constrain the characters of the regular password.
It's very much like the Hollywood hacking where the hackers progressively lock digits of your password and eventually discover the whole thing.
Then there's the fact that many banking sites (BofA, IIRC) only used the first 8 char of your password anyway.