[deepspace]

Exactly this. I have the misfortune of occasionally needing to deal with an online banking portal (located in South Africa) that uses this stupid scheme. Every time I log in, I wish an eternity of torture on the idiots who came up with it.

I just cannot imagine the thought process of the people who though that partial passwords could be better in any way than classic passwords.

[WorldMaker]

Banks especially seem heavily "invested" in finding the biggest/laziest loopholes in security laws that they can and driving forklifts through them for as long as possible.

In the 90s, laws in multiple countries asked banks to research and implement Two-Factor security. They invented all of these stupid, stupid Wish-It-Were-Two-Factor things that are not Two-Factor but "feel Two-Factor enough" to avoid actually deploying proper 2FA, but avoid security fines: "Security Questions" (bonus passwords, still 1FA), multi-step login with "user selected pictures" (not an extra factor, just a silly memory game to potentially cut down on phishing), "partial passwords" (still 1FA).

(Then other idiot sites copy these "security best practices" because Banks use them, rather than actual security best practices.)

It is starting to seem like a lot of the money spent on the development effort of these "not 2FA" workarounds and portal workflows could easily have just paid for sending every bank customer a YubiKey or three by now.