Re: Actual e-mail received from Talk Talk
"We will only ever ask for two digits from it to protect your security."
Which implies totally insecure practice of storing password in plain text"
Not necessarily. Each digit/letter could be hashed and salted independently; it would enable this sort of check without saving anything in plaintext or decryptable format. Now as for the odds that TalkTalk indeed did this...