I didn't people don't do it... some banking sites have made some curious security choices.
Drop downs are good since they circumvent capture by key loggers.
Its one of those things that's easy to detect on the local machine (as windows does on login), but not so easy with a web site. Keep in mind that if the web site has good security, they don't know what your password is. All they can do is see if what you entered matches the hash they generated from your original password. Either it matches or it does not, there are no shades of grey.