We have purchasing cards with Barclays and the statements come in on a web portal.
The site has a secondary question, which I think they pick from various questions that were asked when originally set up.
So, I logged in, and was asked the extra security question, and got it wrong. The problem is that it was "What is your mother's middle name?". This is a horrid question! (a) not everyone has a middle name, and (b) she has two of them. So I forgot what I had put originally and got it wrong.
So, locked out. Great.
I have spent literally a month trying to get it sorted, with email replies taking a week, and eventually a lot of phoning and getting our business relationship manager to chase, finally, the login was reactivated. Not a good user experience at all.
Same question, same mistake, locked out again, arrrrg!
OK, one more time with the shouting and chasing, and what do I get.
Yes, an unsigned, unencrypted, plain text email with a plain text password quoted that is valid for 2 months! (Yes, I have changed it).
Anyway, this time I guessed the right answer to the question.
To be fair, a password reset process is tricky, we send a link valid for a few hours, but that too is as good as plain text in a way as someone could use it. Just seems so very wrong sending a plain text password by email somehow. I am glad we are setting up the proper 2FA stuff on our systems.
Even so, this looked so much like some sort of spam I nearly deleted it.