First, I think a lot of banks require or at least allow 6 digit PINs these days.

But on to why it’s okay for them to be short…

Password logins require one thing. All you need is the password (and username, but that’s easy enough to get and is considered public).

A card’s PIN requires two things: physical possession of the card *and* the PIN code. (If you’ve heard of two-factor authentication before, that’s essentially what the card PIN is trying to be). Because it’s not the only thing you need to access the bank account, it’s theoretically okay for it to be short. Just don’t reuse your PIN because that will make it drastically less secure.

Of course, a _longer_ PIN is always better, but there are other reasons why banks allow a short PIN.

Bonus Section:

ATMs and PIN codes are old technology invented in the 60s; each PIN was originally meant to be used once for a particular cheque. In that case, a four-digit one-time password that also requires a physical object is actually remarkably secure.

All this time, PIN codes have stuck around because they’re easy to remember for humans. A longer code might just encourage people to create PIN codes with certain patterns or substitute numbers for letters and use common, easily guessed words. ATMs also help by only allowing you to enter a wrong PIN a certain number of times.

Finally, banks just don’t have an incentive to change this system. Number pads are cheaper to make than full keyboards, and changing from PINs to passwords would be very expensive since they’d have to upgrade a lot of old systems and millions of ATMs.