The winner of the strangest internet banking login goes to.... WestPac

I have recently moved to Australia and am adjusting to the Australian
way of life. I signed up for a bank account with WestPac and am pretty
surprised how bad the login to their internet banking site is.

Here is a screenshot of it:

![Westpac Login](

Disclaimer: I am not a security expert and these are only my views.

What is wrong with the login page?

  1. You can only use the mouse to enter the password by clicking on
    the clumsy icons. This is a usability nightmare. It is extremely unintuitive.
  2. The password is limited to 6 characters. Exactly 6 characters. Why
    have they done this? You don't need to be an expert to know that this limits password entropy and results in weak passwords. NB. I know it is limited to 6 characters because when I signed up it said so and if you try and enter more, it just stops working.
  3. The password is clearly not case sensitive.
  4. The password character set is limited to A-Z and 0-9. This excludes
    all "special" characters, again reducing the strength of the password.
  5. The password is clearly visible to anyone looking at the screen. At
    least with a keyboard, some of the keys are obscured by the users hands.

If we briefly compare this to the bank I use in the UK, Nationwide.

  1. Nationwide has two ways to login.

    • Memorable data (they are trying to phase this out)
    • 2 Factor using the card reader (requires you to have your bank card)
  2. Memorable data requires you to have 3 pieces of information.

    • Customer Number
    • Memorable data (a password of your choice)
    • 3 random digits from a 6 digit pin number
  3. The 2 factor login using the card reader requires the following:

    • Customer number
    • The card reader and your bank card

At a glance this seems much more secure.

I do not really know what Westpac are thinking with this login form. I
would love to hear other people's views on this, especially if they
differ from mine.