I'm sure some time ago when I changed my password a PN CS advisor told me when I mentioned it, they can only see the 2 characters they ask me for, not the whole pass word, other than when I told them what password I wanted.

Quote from: pg90

I've contacted tens and tens of companies in the past and absolutely none of them have ever asked for my password or part of it. Most places ask for home address, date of birth etc., or the answer to a "secret question" that you set up when you joined. If you think employees from banks will ever have access to your online password or part of it, you are terribly mistaken. [Moderator's note by Adie (dvorak):  Full quote of preceding post removed, as per Forum Rule]

actually my bank asks for letters.
the rep cannot see the password.
what happens is the computer pops up asking for the letter, the rep asks the customer and then enters it, the computer then says if its correct or not.

Yes - that is how the Lloyds bank ID checking system works.
If a faster payment from you is blocked for some reason you get rung up by the bank to check it really is you.
The bank rep asks you lots of seemingly irrelevant question from your credit report
These are along the lines of  Do you have a credit card with a, b,c or d company etc.
The rep enters up all the answers.
At the end their computer says to the rep whether you have passed or failed.
You are allowed to get some wrong as I certainly have!
Importantly the bank rep never knows which of the answers you gave were right and which were wrong.

Everyone here seems to be missing the point. This isn't about what banks do, because their systems are entirely different. As I said, banks have the technology installed to allow their support staff to ask for certain bits of account information which their system can verify without their staff ever seeing the complete information.
Plusnet do not do this. Plusnet support staff can see your entire password (unless someone from Plusnet gets in here and tells me different).
Here is a quote form James, Plusnet staff, from about a year and a half ago:

Quote

We have to be able to see the full password for troubleshooting issues.

Find me a bank where their staff can view your online banking password...

Quote from: pg90

I've contacted tens and tens of companies in the past and absolutely none of them have ever asked for my password or part of it. Most places ask for home address, date of birth etc., or the answer to a "secret question" that you set up when you joined. If you think employees from banks will ever have access to your online password or part of it, you are terribly mistaken. [Moderator's note by Adie (dvorak):  Full quote of preceding post removed, as per Forum Rule]

i
Incorrect as other posters testify.

Yes, my mistake, but the actual point in question remains. Nobody at your bank will be able to actually see those characters. Plusnet can see the whole thing. I'm at a loss as to why everyone's defence seems to be "other people do the same thing", when (a) this is not the case, and (b) it's completely irrelevant anyway. It's bad practice and it's dangerous.

There seems to be a run of these kind of questions out on the internet recently, and while I understand the security implications, I'd like to play devil's advocate here. Which is more secure to verify your identity:
1) Your date of birth, address and mother's maiden name
2) two characters out of a password you have chosen (and of course don't use anywhere else)
Personally I'm quite happy to go with option #2, because if the information I have about #1 gets compromised (heaven forbid someone knows when my birthday is) I can't change it. Your Plusnet account password should be unique to Plusnet, so that anyone finding out what it is should be limited in what they can do. So what if the staff at Plusnet can see what my Plusnet password is, next thing you know you'll be telling me they can make changes to my account! If you make the details for point #1 available to staff, and you're paying by Direct Debit every month, then all of a sudden the Plusnet operator knows your bank details, and also the generic set of security questions to get in!
If you want to go with the point of what everyone else does, consider this: Every time you sign on to any website out there, you are sending your full password across the internet. Yes you're encrypting it, but the servers at the other side get told it every single time you log in. Combine this with the security flaws in HTTPS (Heartbleed) from a few months back, and all of a sudden you've potentially given away your password to any website running with OpenSSL to anyone with enough time on their hands. If you want proper security, get rid of passwords altogether and move over to a PKI based system!

Part of the problem is that your email acts often as a password reset tool for other sites.
..and with plusnet your email, member centre and router dsl password is the same
So if someone has access to your email and knows you have access to site B all they need to do is to access site B using your email address and say they have lost the password.
Site B helpfully says it has sent a specific link to your registered email address.
As the hacker has access to your email he can now reset your password on site B and they have full access.
So in some respects your email password should be one of the strongest passwords you have as it is the key to others.
Then there is the other problem that many people don't give a monkeys and use the same password for every single site everywhere - and it is against this sort of attitude that software like Trusteer Rapport is designed to stop.
PS I never quote my real mothers maiden name - I have a selection of fictitious maiden names for use when required

Regarding the email address bit though, you shouldn't be using the primary email account for your day to day stuff, in the same way that I'm sure you don't log in as a local administrator on your computer and the username and password for UAC/Sudo is a different one to the defaults and what you log in with. In fact as far as Plusnet currently stands, you shouldn't be using that email at all unless via Webmail until the certificates are configured for SMTP etc but that's another conversation.
There are always going to be people that can't be helped, such as those who use 1234 as pin codes. What's important is that everyone gets educated into how best to deal with it. What you're saying there is that you have a "password" instead of Mother's maiden name, which is a workaround for the system in the same way that what I suggested in my post (unique password which you don't mind them knowing) is a workaround for the system. No system is going to be perfect. Security is always a trade-off with usability. The only truly secure system is one that no one at all can get into.

Quote from: x47c

PS I never quote my real mothers maiden name - I have a selection of fictitious maiden names for use when required

On sites such as forums I am either superior to royalty with more birthdays than the Queen, or a horse born on 1 January.
Also for forums and elsewhere when thought  my regular email address might be unsafe to use, I  use another.