That used to be strong enough and it obviously helps by offering some protection but not enough these days.
The tiger story is again relevant here in that the way to think about escaping isn't outrunning the tiger. As I mentioned they don't try to break in to 'your account' by guessing your credentials. They get hold of username lists (bought from dark web sites) and then they try a specific combination of letters against all of them. Bear in mind that 3 years ago 38 million people used online banking - so there is a lot to got at. Choose the most commonly used letters E, T, A and try them in 3 combinations (for the 3 tries before suspension - although they typically only try twice so as not to trigger an obvious level of suspensions). Then start trying to log on. Won't take you long and you will get in if the only security was the random password. TBH these days there are people that make money by cracking those passwords and then selling the username and passwords on the 'dark web'. You can test the validity of this yourselves if you like. i.e. does your own online password contain any 3 of these letters (E, T, A, I, N, O, S). TBH it doesn't really matter if it does or doesn't because with only 26 letters and 10 numbers and some special characters but against 38- 40m users they will likely get in, which is why the additional layers have been introduced - one off passwords etc.
When online banking started simple data encryption defeated anything but the largest mainframe computers. Now my mobile phone has more computing power and data storage than a certain bank used to launch it's entire banking system. The world moves on. I find it so frustrating that people that are clever and organised enough to manufacture large scale fraud operations like this simply don't apply it to a genuinely productive business.