I had the opportunity to buy the new iPad. I signed up for a Vodaphone mobil data account for £5. To top up the account I had to create an account with a new password. The password had to be be between 8 and 15 characters, with at least on numeric, one uppercase, and one punctuation. It took me a while to get one right.
This is only an illusion of security and is clearly “security theatre”.
And then a couple of days later I forgot it and had to request a password reminder. They sent the full password in an unencrypted email to the email address of record. Because that email address of record serves as an ID, anyone with knowledge of that ID and password (both bits of information in the unencrypted email) one can get into the account. That email could be captured while traversing the internet or other methods.
Further, as they are limited the maximum number of characters for the password, it appears as if they are capturing the password in text rather than storing a hash of that password. Password hashes are not normally un-encryptable within the life of the universe. Therefore staff at Vodaphone, or hackers into Vodaphone, can get those passwords.
As said, just “security theatre” by Vodaphone.