I used online chat at 7.45am today and again at roughly 9am, both times I was asked for the exact same characters in my password.
The what ifs could be dangerous, as the text is visible on screen for all to see near me in the chat window if I happened to use a work/public connection to chase up an issue. Someone could easily figure out my username aka my email and they then have 2 characters of my password to try.
More random characters when using online chat and the password characters need to be hidden
FTTP 500 regrade from Tues 28th November