[CM30]

Another example of possible poor security (which seems to be depressingly common with UK banks) is to ask for certain characters from your password. Like say, the 1st, 3rd and 5th characters in the word.

However, if the password was encrypted, they shouldn't really have this information should they? So by asking for it, they're basically admitting everything's stored in either plain text (very bad) or a reversable form of encryption (also quite bad).

There are other complaints about this too (like accidentally encouraging people to write the passwords down so they can figure out which character is the 3rd one or what not):

https://security.stackexchange.com/questions/64589/is-it-bad...

And it also doesn't seem much like a good deterrent against keyloggers. But yeah, quite a few banking sites do this, which is a tad worrying.