I'm new to BECU, and I was disappointed at the level of security of my BECU account(s): I don't know if my password is salted and hashed/encrypted on storage, but the WWW site limits my password to 32 characters. There shoud be no password length limit and, if you're salting and hashing properly (and storing just the hash), there should be no password length limit at all. If I want to enter 50 or 100 or 200 bytes, so be it. SMS authentication is poor. If you're uncertain on that, talk to any security expert (or read prior responses here). Support Yubikey and time-based 2FA (Google Authenticator, 1Password, Microsoft Authenticator, etc). Support SMS only as a last resort, but offer other options first! I like the password and security questions. But: Once you prove you're you, the WWW shouldn't prompt for security questions on every single login. That's annoying and makes the WWW site a hassle to use. Username, password, and 2FA (not via SMS) is fine for unproven connections. Use the security questions for password resets.
... View more