Sometimes passwords are stored in plain text to improve security. An example is K in mobile telephony, a number shared between the home network and the USIM. This is used for mutual authentication and establishing a cryptographic session key. There is no concept of a certification authority (which can be subverted) or a signature - there is just a shared secret, stored in plain text, so there are minimal trust requirements. But stored in a secure piece of hardware with write-only access for K. You pass a challenge in, and get back a number which can be used to prove identity, and a number which can be used to establish a crypto context (here I am simplifying by not describing the mutual authentication).
Ok, so in the context of your mortgage website, they may be doing the same thing. The motivation may be to stop keyloggers or anyone who is "inside" HTTPS getting the password. The implementation may be a hardware security module which is write-only for the password and which gives a yes/no answer when asked to check a character.
Ok, so in the context of your mortgage website, they may be doing the same thing. The motivation may be to stop keyloggers or anyone who is "inside" HTTPS getting the password. The implementation may be a hardware security module which is write-only for the password and which gives a yes/no answer when asked to check a character.