If this is an ATM application or phone business application, it is fine to have digit only password scheme like PIN, because of the restraints of the keypads. However, why not allow starting with zero?
0123456 as integer is the same value as 123456. I would suspect the programmer stored the password as integer, as the programmer asked not to have PIN started with zero.
The authentication of this info system may violate two security principle:
1. Don't store password in the authentication server. Store hash instead.
2. Ask customer NOT to write down PIN.
