Actually some America banks are like that.

Despite allowing longer password, the system don’t care beyond certain number of characters.

Not sure the practice is still that way these days.

The situation at CIMB is not optimal but accounts are still secure. I think CIMB actually lock the account after 3 failed attempts.

“The standard DES-based crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used).”

Not sure if this is actually the case. My 2 cents.

http://php.net/manual/en/function.crypt.php