I've never had a bank as onerous in its security as this one, a local San Francisco establishment called Sterling Bank. My family and I have banked at Bank of America, Bank of the West, Chase, Umpqua Bank, regional credit unions, and others, and none has had such burdensome security requirements and hassle-heavy recovery methods.
I don't know why Sterling's system is so laborious - its IT group simply cited security, and its branch manager rolled his eyes and said it's driving customers away but IT refuses to reconsider its approach. But I know that every time I was forced to change my password, I got locked out when trying to enter whatever new one I could think of.
My browser's save-password feature helped me log in until the next password change, but it helped me not at all on my mobile devices, where I had to remember the complex passwords, then enter them in on a small keyboard. I learned not to use the mobile banking because most of the time I managed to lock myself out when trying to access it. If I was on the road, as I tended to be when using my mobile device, I had to choose between not doing any banking or risking being locked out, as it was usually hard to find the time to call customer support when traveling - and of course I didn't have any of my bank info with me.
Some security pros will often tell you there are tricks you can use to remember arcane passwords, but they don't scale. (Also, it's questionable whether password complexity does any good anyhow.) User ID and password requirements differ widely, so any pattern-based methods fall short because of this requirement or that. You either keep a master list of all your account IDs and passwords, or you try the likely combinations in hopes of getting it right before you reach the lockout threshold.
The truth is that IT often applies password policies that don't make sense, having bought into the same kinds of magical thinking that users do.
There has to be a better way. Until there is, both IT and business managers need to be smarter about the cost of security relative to the risk. If you are too lax, you have much to lose. But if you are too strict, you also have much to lose. We tend to forget that second truth.
Sign up for CIO Asia eNewsletters.