The problem seems to be that most people use "jim1234" for password but we all must admit that it's inevitable after all. If you force users to use "1337p4SS@$@%" the most possible thing is that they'll write the pass in a piece of paper which is far worse imho. The best thing would be limiting user rights in a paranoid level because password theft is inevitable. Of cource there are no rights to limit in a banking system so the best way would be to check other details too like phone or ID number.