The external website https://filippo.io/Heartbleed/#www.usaa.com used to test for ONLY the hearbleed security is NOT a full security assessment.
A FULL LEVEL website security test is publicly available for free at:
Just input the full website name and click on submit.
The website is run by http://www.qualys.com/.
A vast array of hundreds of key details are tested and reported back to you, along with a "quality" letter grade at the top of the report.
Try inputting other websites and see what this well known web security company says about them.
You will be very surprised at what "quality" of security levels is out there on many other websites.
Here is a UPDATE to my earlier reply posted here.
1. USAA Member Concerns (Now Answered):
3. This will be my last update on this subject.
Keeping Everyone Informed
2 points of input from a web developer's perspective:
1) 12 characters is perhaps a "sufficient" length for passwords...for now. It is by no means future-proof, though. I also question why the limit is imposed in the first place; most modern hashing algorithms aren't affected by length. I for one want my passwords to be at least 20, if not 30+ characters, regardless of multi-factor authentication methods. When it comes to banking, insurance, and investments, you can never be too careful...surely you must know this.
2) If you're going to insist on limiting our password length, PLEASE do users a favor and tell us on the password-change screen...don't just lop off our input. I use a password manager that generates long, secure passwords, and trying to paste a password in fails because it's longer than the accepted input. Not knowing how long the password can be forces me to count characters and guess. I have a huge pet peeve about good UX, and simply imposing the limit and not telling your users is not good UX.