The (presumably) secure
Verified by Visa payment authentication
system developped by Visa forces users to select weak passwords:
They force the user to select passwords shorter than or equal to 8 characters, but no less than 6 characters, and
they prevent the use of any special characters (!@#$...). Only alphanumeric allowed.
[Update 2011-06-01: apparently Verified by Visa is not responsible for this flaw, but my bank, Wells Fargo, as a user of Verified by Visa, is the culprit for enforcing weak passwords.]
This password space is so small that if it was used on a Windows machine it would take less than 2.5 hours to bruteforce with oclHashcat on a 4 x HD 5970 machine. (Windows uses NTLM to hash passwords, which oclHashcat bruteforces at 6.194 billion per second on a single 5970: (62**8 + 62**7 + 62**6) / (4*6194e6) / 3600 = 2.49 hours).
Visa's password hashes (assuming they hash them, and with something more secure than NTLM!) are not available to attackers, but they have zero reason to enforce such a small password space:
the hashes could get stolen like it happened to Hotmail, MySpace, Facebook, Gawker, Hotmail, etc, and could be bruteforced easily, and
it certainly unteaches strong password selection methodologies that we, IT Security Professionals, have been painfully trying to explain to users since passwords were invented.
Why does one of the world's first financial services company get security wrong?
The most ironic is that a few months ago, they made the exact opposite mistake: Visa was enforcing password requirements that were overly complex. The right solution is obviously the middle ground: require passwords of at least 7 characters in length to comply with PCI DSS, and allow users to chose very complex passwords if they want to. If I want to type a fully random 128-character password, you should let me do so.