Previous discussion from about a month ago with lots of comments: https://news.ycombinator.com/item?id=7009368

I'd have to say that TD bank has the worst password reset I've ever seen. You just need the persons access card number, and be able to answer one of 3 question(what's my favorite book ect) and you get to change the password. Doesn't even notify the person.

On the polar opposite, my bank couldn't work out CSRF tokens and so just blanket bans any use of the navigation. Use that back button? Logged out!

Ah yes, RuntimeException for random application-level errors. Always a great practice.