How do you don't know they aren't hashed? Any what does that mean? Does it mean that are using DIGEST to avoid sending plain text over the https transport, or they aren't using key expansion for storage?

And does it matter? If someone gets into their internal systems leaked plain text passwords will be the least of their problems. Total deposits are $500 billion.

> I wonder what happens when you try?

Most people try, because they don't believe the restrictions. The answer is nothing out of the ordinary, of course. As I said, as far as I know it's never been broken. Which is kinda surprising, because their web site has more bugs than most. But it appears they've got that part right.

By the way, 6 alpha-numeric characters makes for about 1 billion combinations. The odds of guessing in it a few random goes are virtually nil, and then you are locked out and have prove your identify by via a third channel. Providing they police the max tries well, it's pretty secure.

> your bank sounds like something next level.

All the large banks hopeless. They are an absolutely nightmare to deal with on every level. This bank has been prosecuted by the Federal Government for AML violations - but again most of them have been prosecuted for grievous unethical behaviour. That doesn't make them insecure.

The OP is wrong about SMS 2 factor - they do support other methods, and insist on it once certain circumstances. The banks do protect themselves. In Australia, the history has been if they are forced to make up their customers losses. It takes years of investigations, and a lot of suffering in the mean time on the victims part. But the precedent is well established - karma is a real thing here, and the banks behave accordingly.