This is exactly what my bank requires. Worst part after I told them that this is irresponsible: A few years ago they only allowed a 5-digit PIN for their web login.
Mine used to beat yours by one, as the code was by default the actual PIN of my credit card, while the username itself was 6 digits. It's so... vile I can't even begin to describe it.
That's okay as long as the account is inactivated after 3 failed login attempts. Which is, of course, only sensible for banks which have local branches where you can re-activate your account.
For a pure online bank this would be irresponsible, indeed.
It's not even okay then. If I know that the universe of possible passwords is so small, it's possible to use that to allow me to crack the encryption much more easily (for example).
