It would have been nice if the EBA, in designing the standard, had got all banks to agree on exactly what must and/or can/cannot be in a password, e.g. range of lengths, must/can it have upper and lower case, must/can it include numbers, must/can it include other characters and if so which ones. Every bank seems to have a different ideas and even different ideas within the same bank for different passwords.
It would also be nice, when creating a password for the first time in signing up for an account, if it listed the requirements below the box. NS&I are (were?) particularly bad. When I first signed up for an online account I think I entered a long password using only lower case letters and numbers. I got an error that the password must include both upper and lower case letters. When I changed the password to include upper case letters I then got another error that the password must include non-alphanumeric characters. I changed the password yet again and I got a third message saying that the non-alphanumeric character I had chosen was not one of the allowed characters and gave me a list of ones that were. A good lesson in how to maximise customer irritation.
Lloyds also use the drop down boxes in which you have to select specified characters from a password, a to z and 0 to 9. Unfortunately the box isn't quite long enough so you have to scroll down to select higher letters and all the numbers. Why not make the boxes a bit longer?
I think Barclays and possibly HSBC are using the card reader technique but I am not sure where in the sequence they are used. Lloyds and Santander seem to be relying on SMS/landline authentication. Alpha bank in Greece used to use a dongle to generate a one time code but seem to have abandoned that in favour of SMS. I still haven't fully worked out when they are asking for extra verification and when they aren't. If I am making an online payment, i.e. on the supplier's web site not the bank's, with my credit card I seem to get sent an SMS every time. I can log onto my account with a single password, however, and make online payments to DEI, DEYBA, Cosmote, tax office etc with no extra verification. Previously I could log onto the account with a single password but I would would have had to enter a code from the dongle every time I made any kind of payment so security there has got less not more. I haven't tried to make an online transfer to an individual since the new rules came in so I don't know what happens then.
All the above refers to using browser access not a banking app.