My bank has a password-subset request form for logging in. This of course means that passwords are not being hashed. Also, I can be positive that the keystrokes used for the subset, are recorded and are visible to staff ("you have the correct letters, just try turning off CapsLock" was one response I got).