HSBC Poor Security Policies

HSBC for several years have provided a key fob to login and authorise transactions in their web site.

Recently they have upgraded their mobile applications to have the ability to generate secure codes, therefore removing the need to have a separate device, that probably gets lost.

During signup it asks a few questions and for a new password. The text states that passwords must be over 6 characters, so for security i used LastPass to generate a 30 character password.

This was accepted, however only 8 characters were shown on the screen. After double checking it turns out that the application silently ignored the other 22 characters and set my password to a 8 character password without warning.

I feel this is especially dangerous for the following reasons:

So I asked HSBC Help UK on Twitter.

I feel this raises security concerns about HSBC if they are willing to have poor security on their systems.