When I log into my bank, it doesn't ask for my full password - instead, it asks for two randomly chosen characters from the password. I guess the idea is to make it more difficult for a keylogger to determine the password. But doesn't it mean that my password must be stored in plain text on the server? Isn't that far worse for security than having the user provide the full password?Edit: Actually the bank requires more than just two characters. Here's their login screen:
http://imgur.com/ngRcB The bank is NatWest in the UK. And yes, it's over HTTPS.