They do use 2-factor authorisation for any new payees, so it's not totally insecure.

On the other hand, their recent 'get cash from the nearest ATM with a code we send to your phone if you've lost your wallet' app was soundly compromised by criminal gangs within days, and the service had to be pulled entirely. They're still advertising it on the homepage, but when you click through it says "We're sorry. Get Cash is not available at the moment. We are currently updating this service to increase the level of security around it."

Reading the blurb for the Get Cash service made a likely compromise route immediately obvious to me: it seems very likely that anyone who's had sight of your debit card could register an arbitrary phone & extract cash from your account, because the only details needed to verify your phone were on the card, or easily guessable (NatWest customer numbers are extremely predictable unfortunately).

If there was anyone obviously better I'd be dumping NatWest, but it's not obvious that any of the other major banks are much of an improvement :(

There's no technical reason, but you may as well just store it as plain text.

Even assuming everyone used all the available Unicode symbols (~110,000 according to Wikipedia) an eight character password would only require calculating 880,000 hashes in order to brute force every character.

Assuming a more realistic A-Za-z0-9, an eight character password is an absolutely pathetic 496 hashes. A 1,024 character password (good luck remembering that) is still a paltry 63,488.

For comparison, hashed as a whole that same A-Za-z0-9 at eight characters is 218,340,105,584,896 (62^8).

Hashing the characters individually changes adding more characters from exponentially increasing the work involved to linearly. It's good as useless.