In security there are generally considered to be 3 different authentication factors, in ascending order of their inherent security:

1. Something you _know_ (pins, passwords etc.)

2. Something you _have_ (Keyfobs etc.)

3. Something you _are_ (Fingerprints etc.)

A bankcard automatically falls under 2 security factors, Nr. 1, the PIN and Nr. 2 the physical card. Because it relies on both of these factors, neither one has to be super powerful. Most websites only have an inherent requirement for 1 factor, the password. Because one singular factor, and the weakest one at that, is much easier to compromise than 2 simultaneous factors, the requirements for the password strength have to be higher.

Also, as a PSA: You should use 2 factor authentication on **every single one** of your important accounts, no matter how secure or complex your passwords are. I’m not kidding, if you don’t already, go and set up right now. Using a second factor increases security exponentially. A weak password and 2nd factor is much harder to compromise than a strong password with no other factors.