[godfreykfc]

Wait. Doesn't that imply your bank is storing your password in plaintext, or at best salted and hashed each individual character of your password? (Which is still horrible, because it now takes O(n) instead of O(n^8) to crack stolen hashes)

[raverbashing]

Oh they probably are storing it in plaintext

I believe they have some legitimate reasons for doing that (like the example quotes)

Another reason for specifying a length/limits is that you may need to type it using another device (like an ATM) and keeping it apart from other passwords (if you allow everything, you'll just use your gmail password or something)

Now, to be honest, if you break into a bank db, why are you going to bother with passwords?

[TeMPOraL]

Or they could generate say, 10 masks, hash them along with the password and then only present you with one random mask from those 10.

[tjoff]

The client, or server, could just concatenate all the chars and then calculate whatever hash you desire of the result. Or?

Yes, if the machine is compromised the attacker could do it as well but the point was to prevent keyloggers specifically.

[godfreykfc]

If I understand correctly, you are only asked to fill in a few of the 8 characters. (I have seen this before.)

You are presented with

* * [ ] * [ ] * * [ ]

and you are supposed to submit

* * [3] * [5] * * [8]

so neither side would have enough information to reconstruct the full password based on the user's input alone.