The hard inquiry isn't too uncommon.

The mother's maiden name is a common (though terrible) identity verification step for banks.

But if the password is your login password, I'd pass, and probably switch banks, because that screams "we have terrible account security" almost as bad as "your password can't have these blacklisted special characters" or "password can't be longer than n characters". At that point, I'd err on the side of assuming my password is stored in plaintext somewhere in their system, and change it anywhere where I'm using the same password.

If, however, it's some kind of separate identification verification passphrase you set up when creating your account, that's somewhat common, and I'd trust it if you called the number on the back of your card.