https://logmeonce.com/resources/what-is-the-hardest-6-digit-password/#
Sigh. Just sigh.
Passwordbits : 36.78 bits; cost to crack $0 USD
Bitwarden: !@Qw3rty very weak; time to crack 2 seconds
Videos
Unusual? Yes. Crazy? No. Read on to understand why...
I expect your bank has a strong lockout policy, for example, three incorrect login attempts locks the account for 24 hours. If that is the case, a 6-digit PIN is not as vulnerable as you might think. An attacker that tried three PINs every day for a whole year, would still only have about a 0.1% chance of guessing the PIN.
Most websites (Facebook, Gmail, etc.) use either email addresses or user-selected names as the user name, and these are readily guessable by attackers. Such sites tend to have a much more relaxed lockout policy, for example, three incorrect logins locks for account for 60 seconds. If they had a stronger lockout policy, hackers could cause all sorts of trouble by locking legitimate people out of their accounts. The need to keep accounts secure with a relaxed lockout policy is why they insist on strong passwords.
In the case of your bank, the user name is a 16-digit number - your card number. You do generally keep your card number private. Sure, you use it for card transactions (online and offline) and it is in your wallet in plaintext - but it is reasonably private. This allows the bank to have a stronger lockout policy without exposing users to denial of service attacks.
In practical terms, this arrangement is secure. If your house mate finds your card, they can't access your account because they don't know the PIN. If some hacker tries to bulk hack thousands of accounts, they can't because they don't know the card numbers. Most account compromises occur because of phishing or malware, and a 6-digit PIN is no more vulnerable to those attacks than a very long and complex password. I suspect that your bank has no more day-to-day security problems than other banks that use normal passwords.
You mention that transactions need multi-factor authentication. So the main risk of a compromised PIN is that someone could view your private banking details. They could see your salary, and your history of dodgy purchases. A few people have mentioned that a 6-digit PIN is trivially vulnerable to an offline brute force attack. So if someone stole the database, they could crack your hash, and get your PIN. While that is true, it doesn't greatly matter. If they cracked your PIN they could login and see your banking history - but not make transactions. But in that scenario they can see your banking history anyway - they've already stolen the database!
So while this arrangement is not typical, it appears that it is not so crazy after all. One benefit it may have is that people won't reuse the same password on other sites. I suspect they have done this for usability reasons - people complained that they couldn't remember the long, complex passwords that the site previously required.
A 6 digit numerical password doesn't do much.
Why 6 Digits?
Troy Hunt has an excellent blog about being forced to create weak passwords where he talks about various bad practices including forcing short numerical passwords and puts forward the often used excuse that
“We want to allow people to use the same password on the telephone keypad”
The only valid reason to require a numerical only password is that the only input available to a user is numerical (e.g. with ATMs); (similarly the only valid reason to require a human readable password is that a human will read it - which would be a very bad sign if it was used not just for telephone banking, but for the website too).
But if that is the reason, why on earth would they force you to use the same insecure pass code online (or on mobile), when you have access to a full qwerty keyboard?
How easy to brute force the way in?
There are 106 possible passwords consisting of 6 digits.
For an unskilled attacker, getting into your account is no problem at all if they have your username and unlimited attempts. You should assume they have your username. Usernames are not secrets.
Let's maybe assume the bank has thought of this, and locks each account after 3 bad tries, or perhaps initiates a robot-limiting option like a captcha to try again after that. Then the attacker still has a 3/1000000 chance of getting in to a random account within that window.
That means if they attack 1000000 accounts, they can expect to get into 3. And making 3000000 requests would not take very long at all.
Compare that to how many passwords there are with 6 alphanumeric characters (by most security standards, far too short, and not complex enough).
There are 626 = 56800235584 possible 6 character alphnumeric passwords. That's still too weak but it's already 56800 times stronger!
Stored securely?
Needless to say, if the user database was breached, 106 possible passwords is ridiculously low entropy, and whatever hashing and salting system they've used, they can't keep your passcode secure.
Your bank's plan in the case of a database breach is presumably to roll over and cry. Maybe they think the outcome is so bad they just aren't going to plan for it.
Assuming the other authentication method is secure, should I worry?
An attacker seeing your finance history is a really big issue; you should be worried even if the other authentication method blocking transfers is secure. And you should not expect the other method to be secure.
How much other information is leaked about you without the 2nd authentication method? Your name, address, email, maybe?
These are more than enough to start doing background research on you, to get additional info - these could be clues to your other password, or good strong information on how to phish you. They might try calling you, using the information they have on you so far to gain your trust, pretending to be the bank, and trick you into revealing other secrets about yourself under a ruse that you need to authenticate to them by answering the last few questions they need in order to get into your account.
As another example, if the 2nd authentication method is a strong password, but you (and for most customers the "you" isn't tech savvy) but the customer happens to have ever been included in a database breach for another website where they used the same username/email and password, then its game over. - This logic applies to any username/password based system, but is particularly relevant in this case because the attacker is able to discover other information about you exposed by the first insecure authentication method, and because the 2nd password is now the only barrier to them taking your money - this is one reason why industry standard is to require a 2 factor authentication on banking websites before showing the user anything.
As for industry standards; my bank have an no max length password with the ability to take special characters, and then follow it up with a 2nd passcode which can only be entered by selecting some letters from a series of drop downs (so the entire 2nd passcode isn't used in a single attempt).
I'd prefer it if my bank used an out of band 2nd authentication factor; such as a code being sent to my phone.
Answering (a):
The probability that the correct password will be entered is $\frac{1}{36^6}$
The probability that the correct password will not be entered is $1-\frac{1}{36^6}$
The probability that the correct password will not be entered after $n$ attempts is $(1-\frac{1}{36^6})^n$
Hence the probability that the correct password will never be entered is $\lim\limits_{n\to\infty}(1-\frac{1}{36^6})^n=0$
Answering (b):
Having entered a password:
The probability to enter the same password is $\frac{1}{36^6}$
The probability to enter a different password is $1-\frac{1}{36^6}$
The probability to enter a different password over $n$ attempts is $(1-\frac{1}{36^6})^n$
Hence the probability to always enter a different password is $\lim\limits_{n\to\infty}(1-\frac{1}{36^6})^n=0$
Hence the probability to eventually enter the same password is $1-\lim\limits_{n\to\infty}(1-\frac{1}{36^6})^n=1$
If there are $6$ digits with $36$ possible values each, I think there are $36^6$ possible combinations altogether.
Regardless of the exact number of combinations, your reasoning for part (a) is sound.
For part (b), if you keep on making guesses indefinitely (not stopping after you guess the correct password), then eventually you will guess the same value twice in a row with probability $1$ (for reasons similar to part (a)).
If the question is which will happen first, guessing the correct password or making the same guess twice consecutively, consider that after the first guess, each time you guess another sequence of six digits you have an equal chance to guess the correct password or to guess the same sequence as the previous guess. There is a possibility that you will guess the correct password on the very first attempt, however.
Addendum: Calculations for part (b).
If you interpret the problem to mean that guessing will stop when a correct password is guessed, then one way to work the answer is as follows.
Let $p$ be the probability of each possible outcome of each guess. In this particular problem, $p = \frac1{36^6}.$ Consider the first pair of consecutive guesses that are the same. For this to occur on guesses number $n+1$ and $n+2$ requires the following sequence of events:
- The first guess is not the correct password. This occurs with probability $1-p.$
- Each of the next $n$ guesses is neither the correct password nor the same as the previous guess. Each of these events has probability $1-2p$ given that all the previously required events occurred (that is, given that no previous guess was the correct password).
- The guess after that sequence (that is, guess number $n+2$) is the same as the guess before it. This occurs with probability $p.$
This is the story for any non-negative integer $n$, and there is no other way to guess the same password twice. Moreover, the cases for $n = 0, 1, 2, \ldots$ are all disjoint outcomes, since you can only have one "first pair of equal guesses" in any given experiment. The probability that we will have at least one pair of consecutive equal guesses is therefore the sum of probabilities over all these cases: $$\sum_{n=0}^\infty p(1-p) (1-2p)^n.$$ This is the sum of a geometric series, so it is not hard to evaluate.
A simpler method is to consider that to guess the same password twice, our first guess must differ from the correct password (which happens with probability $1-p$), and on each guess after that we have an equal chance either to guess correctly (in which case we stop guessing) or to guess the same password as the previous guess. By symmetry, neither of these events is more likely than the other to occur first. But if a correct guess occurs first, then we never have a duplicate, whereas if a duplicate guess occurs first then of course we do have a duplicate. That gives us a $\frac12$ chance of a duplicate if the first guess is not correct, which gives us an overall probability of $\frac12(1-p).$